390 likes | 654 Vues
Exploits. Dalia Solomon. Categories. Trojan Horse Attacks Smurf Attack Port Scan Buffer Overflow FTP Exploits Ethereal Exploit Worm Virus Password Cracker DNS Spoofing. Trojan Horse attacks.
E N D
Exploits Dalia Solomon
Categories • Trojan Horse Attacks • Smurf Attack • Port Scan • Buffer Overflow • FTP Exploits • Ethereal Exploit • Worm • Virus • Password Cracker • DNS Spoofing
Trojan Horse attacks • A computer becomes vulnerable to this attack when the user downloads and installs a file onto their system. • This opens a port without the knowledge of the user. The open port gives the remote user access to ones computer
Trojan Horse - NetBus • NetBus is a tool that allows a remote user to gain administrative privileges • NetBus consists of two programs a server and a client.
NetBus Server • To infect a computer, NetBus disguises itself as an ICQ executable file that a naive user install on their computer.
NetBus Server • NetBus server – This application will open a backdoor on the target computer. This application can be configured to be either invisible or visible to the user.
NetBus Client • NetBus - This application will connect to a computer that is running NetBus server. It allows the hacker to spy and take control of the infected computer.
Smurf Attack • A Smurf Attack occurs when a packet such as an ICMP echo frame (in this application) is sent to a group of machines. • The packet sent has the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer.
Smurf Attack • Here we are attacking our computer
Port Scan • This program allows the hacker to scan a target computer to detect open ports. • This is primarily used to detect vulnerable applications using certain ports on the target computer.
Buffer Overflow • Buffer Overflow • Most common form of exploits • Occurs when you put more data in the buffer than what it can hold • Occurs if bounds are not checked by program • Purpose of buffer overflow is to execute codes and gain special privileges
FTP Exploits • This exploit shows how it is possible for somebody to get a shell (command prompt) from Serv-U FTP server. • This exploit causes a buffer overflow condition to occur in Serv-U FTP when it parses the MDTM command.
FTP Exploits • The exploit required that the user have login access to a server.
FTP Exploits • This shows how the hacker gains shell access to the target machine.
FTP Exploits • Here is a segment of the code that causes the buffer overflow.
Ethereal Exploit • Vulnerability exist in Ethereal. By sending carefully crafted packets to the sniffed wire or by convincing someone to load a malicious packet capture file into Ethereal a user can overflow a buffer and execute malicious code • The vulnerability exist in the following packets: BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP and UCP.
Ethereal - example • Ethereal IGAP message • This exploits a vulnerability in Ethereal when handling IGAP messages • Works on Ethereal 0.10.0 to Ethereal 0.10.2. • Will either crash Ethereal or open a port that allows a user to gain root privileges
Ethereal - example • This code will create a malformed IGAP header that when sent, causes the Ethereal application to crash because of its vulnerability in handling IGAP packets.
Worm • A worm is a program that makes copies of itself and causes major damage to the files, software, and data • Method of replication include • Email • File sharing
Worm - example • W32/Bugbear-A • Is a network worm that spreads by emailing attachments of itself • It creates a thread which attempts to terminate anti-virus and security programs • The worm will log keystrokes and send this information when the user is connected online • The worm will open port 80 on the infected computer
Worm - example http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
Worm - Example • W32/MyDoom-A is a worm which spreads by email. • When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL.
Worm – Example (continue…) • Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.
Worm – Example (continue…) • the worm will attempt a denial-of-service attack to www.sco.com, sending numerous GET requests to the web server. • Drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127. http://www.sophos.com/virusinfo/analyses/w32mydooma.html
Virus • A virus is program that infect operating system and applications. • Replication methods • Application File (Word doc.) • Hard drive or Boot record (boot disk) • Scripts (batch file)
Virus - example • W97M/Marker Virus is a Word macro virus • It collects user information from Word and sends the information through FTP • It adds a log at the end of the virus body for every infected user. • This log contains information for system time, date, users name and address
Virus - example • When you open a document file it will display a message • Depending on the user’s response the user will get one of these messages
Password Cracker • Some applications and web pages are vulnerable to remote password cracker tools. • Application such as HTTP, FTP and telnet that don’t handle login properly and have small size password are vulnerable to brute force password cracker tools.
Password - cracker • Brutus is a remote password cracker tool, on an older Serv-U v 2.5 application it can crack a password by sequentially sending in all possible password combination
DNS spoofing • A DNS attack that involves intercepting and sending a fake DNS response to a user. • This attack forwards the user to a different address than where he wants to be.
DNS spoofing • WinDNSSpoof • spoof DNS packets • http://www.securesphere.net/download/papers/dnsspoof.htm
DNS Exploitation Tool • Zodiac is a robust DNS protocol monitoring and spoofing program • Features: • Captures and decodes DNS packets • DNS local spoofing • DNS ID spoofing, exploiting a weakness within the DNS protocol itself. • Etc… http://teso.scene.at/projects/zodiac/