The Five Most Popular Attacks on the Internet Peter Mell, 1-7-98 [email protected] National...
-
Upload
marshall-rodgers -
Category
Documents
-
view
212 -
download
0
Transcript of The Five Most Popular Attacks on the Internet Peter Mell, 1-7-98 [email protected] National...
The Five Most Popular Attacks on the Internet
Peter Mell, 1-7-98
National Institute of Standards and Technology
Computer Security Division
Outline
Sources of attacks and vulnerability information
Details on the most frequently requested attacks
Statistics on attacks available on the Internet
Web Site Resources
CERT, http://www.cert.orgL0pht, http://www.l0pht.com/
Vulnerability Advisories
Bugtraq, http://geek-girl.com/bugtraqNTBugtraq, http://www.ntbugtraq.com
Vulnerability Information
Attack ScriptsRootshell, http://www.rootshell.comFyodor’s Playhouse, http://www.insecure.org
We are Measuring the Popularity of Attacks Rootshell makes available a cgi scripts that
reveals the last 50 search requests made on its database of 700+ attack scripts
We created a perl script that harvests search requests each hour
Approximately 170,000 queries are made each month (our current sample size is 20% of the total number: 33,000 queries)
The Top 18 Search Requests (12-98)
1. linux 2.3% 10. 1.2%
2. windows nt 2.3% 11. solaris 1.1%
3. windows 1.5% 12. redhat 1.0%
4. icq 1.4% 13. windows 98 0.9%
5. sendmail 1.4% 14. netbus 0.8%
6. back orifice 1.4% 15. nuke 0.8%
7. smurf 1.3% 16. scanner 0.8%
8. teardrop 1.3% 17. freebsd 0.8%
9. imap 1.3% 18. irix 0.7%
Search Requests on OSs
1. linux 2.3% 10. 1.2%
2. windows nt 2.3% 11. solaris 1.1%
3. windows 1.5% 12. redhat 1.0%
4. icq 1.4% 13. windows 98 0.9%
5. sendmail 1.4% 14. netbus 0.8%
6. back orifice 1.4% 15. nuke 0.8%
7. smurf 1.3% 16. scanner 0.8%
8. teardrop 1.3% 17. freebsd 0.8%
9. imap 1.3% 18. irix 0.7%
Search Requests on Applications
1. linux 2.3% 10. 1.2%
2. windows nt 2.3% 11. solaris 1.1%
3. windows 1.5% 12. redhat 1.0%
4. icq 1.4% 13. windows 98 0.9%
5. sendmail 1.4% 14. netbus 0.8%
6. back orifice 1.4% 15. nuke 0.8%
7. smurf 1.3% 16. scanner 0.8%
8. teardrop 1.3% 17. freebsd 0.8%
9. imap 1.3% 18. irix 0.7%
Attacks on Applications ICQ: 6 exploits in the last year
Spoof any ICQ user id and send people files that get stored anywhere
Sendmail: 11 exploits in the last year Local get root, DOS, Remote control
imap: 8 exploits in the last yearScanners and remote get root attacks
Manuals on performing a buffer overflow attacks:http://www.insecure.org/stf/smashstack.txthttp://www.l0pht.com/advisories/bufero.html
Search Requests on Attacks
1. linux 2.3% 10. 1.2%
2. windows nt 2.3% 11. solaris 1.1%
3. windows 1.5% 12. redhat 1.0%
4. icq 1.4% 13. windows 98 0.9%
5. sendmail 1.4% 14. netbus 0.8%
6. back orifice 1.4% 15. nuke 0.8%
7. smurf 1.3% 16. scanner 0.8%
8. teardrop 1.3% 17. freebsd 0.8%
9. imap 1.3% 18. irix 0.7%
Back Orifice: What Microsoft Says“Microsoft takes security seriously, and hasissued this bulletin to advise customers thatWindows 95 and Windows 98 users following safe computing practices are not at risk…”
http://www.wired.com/news/news/technology/story/16310.html
According to Wired (1998-Nov-17), 79% of Australian ISPs are "infected" with Back Orifice.
Back Orifice
Author: Cult of the Dead Cow http://www.cultdeadcow.com
Publish Date: Released in August 1998 at the annual hacker DEF CON convention
Summary: Remotely control Windows 95 hosts
Transmission Method: Web site downloads, e-mailing free apps, piggybacking with “ordinary” remote exploits
Back Orifice Applications
File System Control: Add/delete any fileProcess Control: Run/kill any processRegistry Control: List, create, delete, and set registry
keys and valuesNetwork Control: View all exported resources and
their passwords. View and kill connections.
Multimedia Control: Keystroke monitor. Take screen shots. Control host cameras.
Packet Redirection: Redirect local ports to remote ports Packet Sniffer: Views any network packetsPlug in Interface: Much like netscape plug-ins
Other Back Orifice Features
Other Features:Encrypted ConnectionsAutonomous mode
Plug-Ins:Butt Trumpet: Penetration Notification via e-mail Saran Wrap: Easily bundle BO with legitimate
softwareSpeakeasy: Broadcast a penetration to an IRC
channel
Netbus
Start optional application. Download/Upload/Delete files Send keystrokes and disable keys. Record sounds from the microphone.
Similar to Back Orifice except that anyone can log into a netbus server
Go to an optional URL. Control mouse. Shut down Windows. Listen to keystrokes. Take a screendump.
TeardropReboots or halts Windows 95, NT and Linuxusing 2 fragmented packets
a a a a a a b b c c c
P1 Offset=0P1 End=N
P2 Offset<N P2 End=N+M
a a a a a a c c c
P1 Offset=0 P1 End=N
P2 Offset=N P2 End=N+M
a a a a a ab
P1 Offset=0P1 End=N
P2 Offset<N P2 End<N
a a a a a a
P1 Offset=0 P1 End=N
P2 Offset=N P2 End<N
Published before 11/14/97
Smurf
Target
Smurf freezes a target by sending it large numbers of ICMP ping packetsAttacker is not traceableEach of the attacker’s ping packets is amplified into hundred of packets
Attacker Network that respondsto broadcast pings
Ping packets:Source: TargetDestination: Broadcast address
Target receives hundreds ofpackets for each of the attacker’s packets
Published before 10/13/97
(Win)Nuke
Winnuke crashes window 95/NT hosts by establishing a tcp connection and sending out of band data
TargetAttacker
1. TCP connection established (port 139)2. Send a packet of out of band data (e.g. send(s,str,strlen(str),MSG_OOB)
Published before 5/7/97
Listing of the top 20 attacks
1. back orifice 6. mscan 11. land 16. satan2. smurf 7. nestea 12. boink 17. nmap3. teardrop 8. winnuke 13. crack 18. bonk4. netbus 9. targa 14. strobe 19. sniffit5. nuke 10. rootkit 15. queso 20. eggdrop
Recommended scanning software: nmap, queso, strobe, netcat
DOS attack toolkit: targa
Statistics on attacks published on the Internet 37% of attacks can be launched from Windows
hosts (people don’t need Unix to be dangerous anymore) 4% of attacks compromise hosts that visit web
sites (surfing the Internet is not risk free) 3% of attacks exploit more than one vulnerability
(attack toolkits that allow children to penetrate hosts with the push of a button are becoming a reality)
8% are scanning tools that look for vulnerabilities (automated searching for vulnerable hosts is common place)
Even Firewalls, Routers, and Switches are not safe
Percent of attacks that work against:firewalls (7%) (no penetration attacks found)routers (6%) (no penetration attacks found)
Percent of attacks that penetrate:switches (2%) (nbase and 3com backdoor passwords)