CategoriesCategories Trojan Horse AttacksTrojan Horse Attacks Smurf AttackSmurf Attack Port ScanPort Scan Buffer OverflowBuffer Overflow FTP ExploitsFTP Exploits Ethereal ExploitEthereal Exploit WormWorm VirusVirus Password Cracker Password Cracker DNS SpoofingDNS Spoofing
Trojan Horse attacksTrojan Horse attacks
A computer becomes vulnerable to A computer becomes vulnerable to this attack when the user downloads this attack when the user downloads and installs a file onto their system. and installs a file onto their system.
This opens a port without the This opens a port without the knowledge of the user. The open port knowledge of the user. The open port gives the remote user access to ones gives the remote user access to ones computercomputer
Trojan Horse - NetBusTrojan Horse - NetBus
NetBus is a tool that allows a remote NetBus is a tool that allows a remote user to gain administrative privilegesuser to gain administrative privileges
NetBus consists of two programs a NetBus consists of two programs a server and a client.server and a client.
NetBus ServerNetBus Server To infect a computer, NetBus To infect a computer, NetBus
disguises itself as an ICQ disguises itself as an ICQ executable file that a naive user executable file that a naive user install on their computer.install on their computer.
NetBus ServerNetBus Server
NetBus serverNetBus server – This application will open – This application will open a backdoor on the target computer. This a backdoor on the target computer. This application can be configured to be either application can be configured to be either invisible or visible to the user.invisible or visible to the user.
NetBus ClientNetBus Client
NetBusNetBus - This - This application will application will connect to a connect to a computer that is computer that is running NetBus running NetBus server. It allows server. It allows the hacker to spy the hacker to spy and take control of and take control of the infected the infected computer.computer.
Smurf AttackSmurf Attack
A Smurf Attack occurs when a packet such A Smurf Attack occurs when a packet such as an ICMP echo frame (in this application) as an ICMP echo frame (in this application) is sent to a group of machines. is sent to a group of machines.
The packet sent has the source address The packet sent has the source address replaced by the target computer or replaced by the target computer or network IP address. This causes a flurry of network IP address. This causes a flurry of echo responses to be sent to the target echo responses to be sent to the target machine, which can overflow the target machine, which can overflow the target computer. computer.
Port ScanPort Scan
This program allows the hacker to This program allows the hacker to scan a target computer to detect scan a target computer to detect open ports. open ports.
This is primarily used to detect This is primarily used to detect vulnerable applications using certain vulnerable applications using certain ports on the target computer.ports on the target computer.
Buffer OverflowBuffer Overflow
Buffer OverflowBuffer Overflow• Most common form of exploitsMost common form of exploits• Occurs when you put more data in the Occurs when you put more data in the
buffer than what it can holdbuffer than what it can hold• Occurs if bounds are not checked by Occurs if bounds are not checked by
programprogram• Purpose of buffer overflow is to execute Purpose of buffer overflow is to execute
codes and gain special privilegescodes and gain special privileges
FTP ExploitsFTP Exploits
This exploit shows how it is possible This exploit shows how it is possible for somebody to get a shell for somebody to get a shell (command prompt) from Serv-U FTP (command prompt) from Serv-U FTP server. server.
This exploit causes a buffer overflow This exploit causes a buffer overflow condition to occur in Serv-U FTP condition to occur in Serv-U FTP when it parses the MDTM command.when it parses the MDTM command.
FTP ExploitsFTP Exploits
The exploit required that the user have The exploit required that the user have login access to a server.login access to a server.
FTP ExploitsFTP Exploits
This shows how the hacker gains shell This shows how the hacker gains shell access to the target machine.access to the target machine.
FTP ExploitsFTP Exploits
Here is a Here is a segment of segment of the code the code that causes that causes the buffer the buffer overflow.overflow.
Ethereal ExploitEthereal Exploit
Vulnerability exist in Ethereal. By Vulnerability exist in Ethereal. By sending carefully crafted packets to sending carefully crafted packets to the sniffed wire or by convincing the sniffed wire or by convincing someone to load a malicious packet someone to load a malicious packet capture file into Ethereal a user can capture file into Ethereal a user can overflow a buffer and execute overflow a buffer and execute malicious codemalicious code• The vulnerability exist in the following The vulnerability exist in the following
packets: BGP, EIGRP, IGAP, IRDA, ISUP, packets: BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP and UCP.NetFlow, PGM, TCAP and UCP.
Ethereal - exampleEthereal - example
Ethereal IGAP messageEthereal IGAP message• This exploits a vulnerability in Ethereal This exploits a vulnerability in Ethereal
when handling IGAP messageswhen handling IGAP messages• Works on Ethereal 0.10.0 to Ethereal Works on Ethereal 0.10.0 to Ethereal
0.10.2.0.10.2.• Will either crash Ethereal or open a port Will either crash Ethereal or open a port
that allows a user to gain root privilegesthat allows a user to gain root privileges
Ethereal - exampleEthereal - example
This code will create a malformed This code will create a malformed IGAP header that when sent, causes IGAP header that when sent, causes the Ethereal application to crash the Ethereal application to crash because of its vulnerability in handling because of its vulnerability in handling IGAP packets.IGAP packets.
WormWorm
A worm is a program that makes A worm is a program that makes copies of itself and causes major copies of itself and causes major damage to the files, software, and damage to the files, software, and datadata
Method of replication include Method of replication include • EmailEmail• File sharingFile sharing
Worm - exampleWorm - example W32/Bugbear-AW32/Bugbear-A
• Is a network worm that spreads by Is a network worm that spreads by emailing attachments of itselfemailing attachments of itself
• It creates a thread which attempts to It creates a thread which attempts to terminate anti-virus and security terminate anti-virus and security programsprograms
• The worm will log keystrokes and send The worm will log keystrokes and send this information when the user is this information when the user is connected onlineconnected online
• The worm will open port 80 on the The worm will open port 80 on the infected computerinfected computer
Worm - ExampleWorm - Example
W32/MyDoom-AW32/MyDoom-A is a worm which is a worm which spreads by email. spreads by email.
When the infected attachment is When the infected attachment is launched, the worm harvests email launched, the worm harvests email addresses from address books and addresses from address books and from files with the following from files with the following extensions: WAB, TXT, HTM, SHT, extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. PHP, ASP, DBX, TBB, ADB and PL.
Worm – Example (continue…)Worm – Example (continue…)
Attached files will have an extension of Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP. BAT, CMD, EXE, PIF, SCR or ZIP.
Worm – Example (continue…)Worm – Example (continue…)
the worm will attempt a denial-of-service the worm will attempt a denial-of-service attack to www.sco.com, sending numerous attack to www.sco.com, sending numerous GET requests to the web server. GET requests to the web server.
Drops a file named shimgapi.dll to the Drops a file named shimgapi.dll to the temp or system folder. This is a backdoor temp or system folder. This is a backdoor program loaded by the worm that allows program loaded by the worm that allows outsiders to connect to TCP port 3127.outsiders to connect to TCP port 3127.
http://www.sophos.com/virusinfo/analyses/http://www.sophos.com/virusinfo/analyses/w32mydooma.htmlw32mydooma.html
VirusVirus
A virus is program that infect A virus is program that infect operating system and applications.operating system and applications.
Replication methodsReplication methods• Application File (Word doc.)Application File (Word doc.)• Hard drive or Boot record (boot disk)Hard drive or Boot record (boot disk)• Scripts (batch file)Scripts (batch file)
Virus - exampleVirus - example
W97M/Marker Virus is a Word macro virus
It collects user information from Word and sends the information through FTP
It adds a log at the end of the virus body for every infected user. • This log contains information for system
time, date, users name and address
Virus - exampleVirus - example
When you open a When you open a document file it will document file it will display a messagedisplay a message
Depending on the Depending on the user’s response the user’s response the user will get one of user will get one of these messagesthese messages
Password CrackerPassword Cracker
Some applications and web pages Some applications and web pages are vulnerable to remote password are vulnerable to remote password cracker tools.cracker tools.
Application such as HTTP, FTP and Application such as HTTP, FTP and telnet that don’t handle login telnet that don’t handle login properly and have small size properly and have small size password are vulnerable to brute password are vulnerable to brute force password cracker tools.force password cracker tools.
Password - crackerPassword - cracker
Brutus is a remote password cracker tool, Brutus is a remote password cracker tool, on an older Serv-U v 2.5 application it can on an older Serv-U v 2.5 application it can crack a password by sequentially sending crack a password by sequentially sending in all possible password combinationin all possible password combination
DNS spoofingDNS spoofing
A DNS attack that involves A DNS attack that involves intercepting and sending a fake DNS intercepting and sending a fake DNS response to a user.response to a user.
This attack forwards the user to a This attack forwards the user to a different address than where he different address than where he wants to be.wants to be.
DNS spoofingDNS spoofing
WinDNSSpoofWinDNSSpoof• spoof DNS packetsspoof DNS packets• http://http://www.securesphere.net/download/papers/dnsspoof.htmwww.securesphere.net/download/papers/dnsspoof.htm
DNS Exploitation ToolDNS Exploitation Tool
ZodiacZodiac is a robust DNS protocol monitoring is a robust DNS protocol monitoring and spoofing programand spoofing program
Features:Features:• Captures and decodes DNS packets Captures and decodes DNS packets • DNS local spoofingDNS local spoofing• DNS ID spoofing, exploiting a weakness within DNS ID spoofing, exploiting a weakness within
the DNS protocol itself.the DNS protocol itself.• Etc…Etc…
http://teso.scene.at/projects/zodiac/http://teso.scene.at/projects/zodiac/
Top Related