Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Exploits

VIEWS: 72 PAGES: 39

									 Exploits
Dalia Solomon
                Categories
   Trojan Horse Attacks
   Smurf Attack
   Port Scan
   Buffer Overflow
   FTP Exploits
   Ethereal Exploit
   Worm
   Virus
   Password Cracker
   DNS Spoofing
         Trojan Horse attacks
   A computer becomes vulnerable to
    this attack when the user downloads
    and installs a file onto their system.
   This opens a port without the
    knowledge of the user. The open
    port gives the remote user access to
    ones computer
        Trojan Horse - NetBus
   NetBus is a tool that allows a remote
    user to gain administrative privileges
   NetBus consists of two programs a
    server and a client.
                NetBus Server
   To infect a computer, NetBus
    disguises itself as an ICQ
    executable file that a naive user
    install on their computer.
              NetBus Server
   NetBus server – This application will open
    a backdoor on the target computer. This
    application can be configured to be either
    invisible or visible to the user.
                  NetBus Client
   NetBus - This
    application will
    connect to a
    computer that is
    running NetBus
    server. It allows
    the hacker to spy
    and take control of
    the infected
    computer.
               Smurf Attack
   A Smurf Attack occurs when a packet such
    as an ICMP echo frame (in this
    application) is sent to a group of
    machines.
   The packet sent has the source address
    replaced by the target computer or
    network IP address. This causes a flurry of
    echo responses to be sent to the target
    machine, which can overflow the target
    computer.
               Smurf Attack
   Here we are attacking
    our computer
                Port Scan
   This program allows the hacker to
    scan a target computer to detect
    open ports.
   This is primarily used to detect
    vulnerable applications using certain
    ports on the target computer.
Port Scan
             Buffer Overflow
   Buffer Overflow
    • Most common form of exploits
    • Occurs when you put more data in the
      buffer than what it can hold
    • Occurs if bounds are not checked by
      program
    • Purpose of buffer overflow is to execute
      codes and gain special privileges
Buffer Overflow
Buffer Overflow
Buffer Overflow
              FTP Exploits
   This exploit shows how it is possible
    for somebody to get a shell
    (command prompt) from Serv-U FTP
    server.
   This exploit causes a buffer overflow
    condition to occur in Serv-U FTP
    when it parses the MDTM command.
               FTP Exploits
   The exploit required that the user have
    login access to a server.
               FTP Exploits
   This shows how the hacker gains shell
    access to the target machine.
FTP Exploits
                  FTP Exploits
   Here is a
    segment of
    the code
    that causes
    the buffer
    overflow.
             Ethereal Exploit
   Vulnerability exist in Ethereal. By
    sending carefully crafted packets to
    the sniffed wire or by convincing
    someone to load a malicious packet
    capture file into Ethereal a user can
    overflow a buffer and execute
    malicious code
    • The vulnerability exist in the following
      packets: BGP, EIGRP, IGAP, IRDA,
      ISUP, NetFlow, PGM, TCAP and UCP.
           Ethereal - example
   Ethereal IGAP message
    • This exploits a vulnerability in Ethereal
      when handling IGAP messages
    • Works on Ethereal 0.10.0 to Ethereal
      0.10.2.
    • Will either crash Ethereal or open a port
      that allows a user to gain root privileges
          Ethereal - example
   This code will create a malformed
    IGAP header that when sent, causes
    the Ethereal application to crash
    because of its vulnerability in handling
    IGAP packets.
                  Worm
   A worm is a program that makes
    copies of itself and causes major
    damage to the files, software, and
    data
   Method of replication include
     • Email
     • File sharing
            Worm - example
   W32/Bugbear-A
    • Is a network worm that spreads by
      emailing attachments of itself
    • It creates a thread which attempts to
      terminate anti-virus and security
      programs
    • The worm will log keystrokes and send
      this information when the user is
      connected online
    • The worm will open port 80 on the
      infected computer
           Worm - example




http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
           Worm - Example
   W32/MyDoom-A is a worm which
    spreads by email.
   When the infected attachment is
    launched, the worm harvests email
    addresses from address books and
    from files with the following
    extensions: WAB, TXT, HTM, SHT,
    PHP, ASP, DBX, TBB, ADB and PL.
    Worm – Example (continue…)
   Attached files will have an extension of
    BAT, CMD, EXE, PIF, SCR or ZIP.
    Worm – Example (continue…)
   the worm will attempt a denial-of-service
    attack to www.sco.com, sending
    numerous GET requests to the web server.
   Drops a file named shimgapi.dll to the
    temp or system folder. This is a backdoor
    program loaded by the worm that allows
    outsiders to connect to TCP port 3127.

http://www.sophos.com/virusinfo/analyses/
  w32mydooma.html
                    Virus
   A virus is program that infect
    operating system and applications.
   Replication methods
    • Application File (Word doc.)
    • Hard drive or Boot record (boot disk)
    • Scripts (batch file)
             Virus - example
   W97M/Marker Virus is a Word
    macro virus
   It collects user information from
    Word and sends the information
    through FTP
   It adds a log at the end of the virus
    body for every infected user.
    • This log contains information for system
      time, date, users name and address
              Virus - example
   When you open a
    document file it will
    display a message

   Depending on the
    user’s response the
    user will get one of
    these messages
          Password Cracker
   Some applications and web pages
    are vulnerable to remote password
    cracker tools.
   Application such as HTTP, FTP and
    telnet that don’t handle login
    properly and have small size
    password are vulnerable to brute
    force password cracker tools.
           Password - cracker
   Brutus is a remote password cracker tool,
    on an older Serv-U v 2.5 application it can
    crack a password by sequentially sending
    in all possible password combination
Password - cracker
             DNS spoofing
   A DNS attack that involves
    intercepting and sending a fake DNS
    response to a user.
   This attack forwards the user to a
    different address than where he
    wants to be.
                  DNS spoofing
   WinDNSSpoof
    • spoof DNS packets
    • http://www.securesphere.net/download/papers/dnsspoof.htm
         DNS Exploitation Tool
   Zodiac is a robust DNS protocol
    monitoring and spoofing program
   Features:
    • Captures and decodes DNS packets
    • DNS local spoofing
    • DNS ID spoofing, exploiting a weakness within
      the DNS protocol itself.
    • Etc…

      http://teso.scene.at/projects/zodiac/
Questions?

								
To top