Hackers Desk Reference
.pdfa log entry of the command string executed.
[13.3.2] IIS /..\.. Problem
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute a target script.
By default user 'Guest' or 'IUSR_MACHINENAME' has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
[13.3.3] Truncated Files
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file called "target.bat". If the file "target.bat" already exists, the file will be truncated, erasing any previous contents.
[13.3.4] SNA Holes
--From ntsecurity.net
When you attach to shared folders on an AS/400 using SNA Server, where the security level is set to 30 or higher, and security has been set on the folders to allow limited access, after the first user connects to a shared folder, all subsequent users acquire the first user's access permissions to shared folders.
This problem occurs when SNA Server is sharing a single Local APPC LU when communicating to an AS/400. The security for shared folders on the AS/400 (when security is set to level 30 or higher), is tied to the controller. In this case, the AS/400 views the controller as its Remote LU, or SNA Server's Local APPC LU.
The transaction program which supports the shared folders function on the AS/400 identifies a user based on the SNA Server Local APPC LU name being used. Therefore, if multiple SNA Server users are sharing the same Local APPC LU for use with shared
folders, you are able to view each other's AS/400 folders. Due to the design of the AS/400 shared folders feature, the first shared folder's user to connect over a Local APPC LU determines the AS/400 security rights for the remaining users who connect over the same Local APPC LU.
For Microsoft' information on this, see their Knowledge Base article: http://www.microsoft.com/kb/articles/q138/0/01.htm
DEFENSE
Create a separate LU (Local to the SNA Server) for each user and pair each LU with the AS/400's LU. Then each user accesses a separate controller and has appropriate access to shared folders. In addition, each shared folder's client application must be configured with a unique Local APPC LU alias. If you prefer to leave this field empty, the SNA Server administrator can assign a default Local APPC LU alias for each user using SNA Admin (2.x) or SNA Server Manager (3.x) configured on the user record.
[13.3.5] SYN Flooding
On your computer running the TCP/IP protocol and connected to the Internet, some or all network services are rendered unavailable and error messages such as the following appear on the network client screen:
The connection has been reset by the remote host.
This symptom of all network services being rendered unavailable may also occur on a computer running an operating system other than Windows NT, for example, Unix.
Your computer has become the target of a malicious attack known as TCP/IP "SYN Flooding" or "SYN Attacks."
"Computer hackers" can target an entire machine, or a specific TCP service such as web services. The attack is focused on the TCP protocol used by all computers on the Internet, and is not specific to the Windows NT operating system.
How SYN Flooding Works
SYN Flooding works as follows: (see also CERT(sm) Advisory CA-96.21 at
ftp://info.cert.org/pub/cert_advisories)
- A TCP connection request (SYN) is sent to the target computer. The source IP address
in the packet is "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another computer. An attacker will send many of these TCP SYNs to tie up as many resources as possible on the target computer.
-Upon receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed" nonexistent IP address.
-No response is received to the SYN-ACK. A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. The total elapsed time that resources are in use is 189 seconds.
If you suspect that your computer is the target of a SYN attack, you can type the following command at a command prompt to view connections in the "SYN_RECEIVED" state:
netstat -n -p tcp
If a large number of connections are in the SYN_RECEIVED state, it is possible that the system is under attack. A network analyzer can be used to track the problem down further, and it may be necessary to contact your Internet Service Provider for assistance in attempting to trace the source.
The effect of tying up connection resources varies, depending upon the TCP/IP stack and applications listening on the TCP port. For most stacks, there is a limit on the number of connections that can be in the half-open (SYN_RECEIVED) state. Once the limit is reached for a given TCP port, the target computer responds with a reset to all further connection requests until resources are freed.
[13.3.6] Land Attack
Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer. This makes it appear as if the host computer sent the packet to itself. Windows NT operates more slowly while the host computer tries to respond to itself.
[13.3.7] Teardrop
Two specially fragmented IP datagrams are sent to the victim. The first is the 0 offset fragment with a payload of size N, with the MF bit on (data content is irrelevant). The second is the last fragment (MF == 0) with a positive offset < N and with a payload of < N. The fragmented datagrams will try to realign themselves, however, the payload of the current fragment does NOT contain enough data to cover the realigning. This will cause a reboot or a halt, depending on how much physical memory you've got.
[13.3.8] Pentium Bug
When an Intel processor receives a specific invalid instruction, your computer may stop responding (hang). Your computer must be turned off and restarted to return to normal operation.
If you execute F0 0F C7 C8 on a P5 it will lock the machine up.
[14.0.0] VAX/VMS Makes a comeback (expired user exploit)
This is an explenation of a vax exploit that discover. The exploit
functions in that when a username has expired it doesnt delete the username
it just puts a new password on the username named temporary password. Until
the user can input a new password to reactivate his account. I will explain
this exploit step by step but this text is intended for a more advanced reader. Remember VAX/VMS is a very secure area to work in you can get
caught if you dont know what you are doing. Well in this text i will give
you a server that has this exploit so you can verify it yourself.
Another thing is that you need to know about how to use the telnet program
if you dont know get a guide and start learning before using this.
Step by Step explanation: (if you dont own an account on the VMS/VAX)
[14.0.1] Step 1:
Finger the users of the server if you have a finger utility, but you need one that gives you the last date login.
[14.0.2] Step 2:
Get the usernames that have an old date like a year ago, basically, something that looks expired.
[14.0.3] Step 3:
Now goto to the login screen of the server type in the username.
When it promts you for a password you will type the word temp. Now for this
moment you will be entering the vax system and it will prompt you to type a
new pssword because the password has expired. As you can see you now owned
a user priviledge account.
[14.0.4] Note:
The easiest way to find systems that are exploitable is to check universities. As we know most universities issue students usernames that are the first letter of their first name and then their whole last name. Example: If your name is John Doe your username would be jdoe. So the best thing you can do is finger universities and try to find as pointed out
earlier user names that have the last login date of a year or so ago.
-Props to Hellmaster for the technique.
[15.0.0] Linux security 101
So you just got the latest linux distro installed? What now? How about a bit of security. You need to immediately secure your system after installation if you want your 0-day sploits to be safe (especially if you hang out on irc). Here I will try and show ways to prevent remote and local attacks. These techniques should work on redhat and debian, but it is primarily made for slackware, the best distro out there.
[15.0.1] Step 1: pico /etc/inetd.conf . This file tells inetd what daemons to open up each time it is run. I generally only keep ftpd available to localhost and telnetd open to all. Close up any services that you feel are not imperative to keep you running by sticking a # in front of the service name.
[15.0.2] Step 2: Permissions. Make sure that your root directory is only readable to root to prevent users from snooping. Type: chmod 700 /root . Also, make sure that only the correct owner can snoop through home directories. cd /home ; chmod 700 * . That should do it. Next, chmod 700 /mnt ; chmod 700 /floppy ; chmod 700 /cdrom . Then you should have all the permissions setup correctly.
*Side note: You may want to only use X-windows as root (thats what I do), as X-win binarys are a good way to exploit a system. So maybe do a chmod 700 /usr/X11/bin ; chmod 700 /usr/X11R6/bin .
[15.0.3] Step 3: RPC services. Try typing rpcinfo -p localhost and see what you get. Remember the results and go into /etc/rc.d . Look through those files for the various rpc servers. Comment the rpc services as needed in those files. Almost every remote procedure call is exploitable. Its better just not to run em.
[15.0.4] Step 4: Install ttysnoop. ttysnoop allows you to see what users are doing when they login to your box. Heres how to install:
Type pico /etc/inetd.conf and stick a comment (#) in front of the line that reads:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Then look 3 lines below. You will see:
#telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetsnoopd
Uncomment that line, and save the file. Then restart inetd by typeing:
ps -aux |grep inetd
(get the pid #)
kill -9 (pid #)
inetd
Then it should be restarted and you can try it out by telneting to localhost and logging in , and then in another window type w to find out what tty you just logged into and then type: ttysnoop ttyp# . You should now be able to see everything that the user types in. Very effective.
[15.0.5] Step 5: Watching them. You should always be aware of who is on your system at any given time. A good way to do this is to, if you are in X-windows, type xconsole - font 5x8 -file /var/log/messages -geometry 550x80 . This will open a small xconsole window that will tel you who is connecting to you. Keep this in a bottom corner. The
next step is to get tcpdump. Find it at sunsite. type tcpdump in a smaill xterm and keep that in another corner. What that will do is show you every single little connection to you. Such as connections from every port.
[15.0.6] Step 6: Misc security programs.
-SSH : Secure shellThis program is a replacement to telnet, so that your passwords cannot be sniffed. It uses encryption
to connect to every server that you telnet to. More and more servers are using this everday because of the growing threat of hackers. Of course, the remote server that you are telneting to has to run SSH as well for it to work =)
-Lightbar : Login SecurityThis program is basically a replacement to /bin/login. It is EXTREMELY customizable and provides that extra edge of security to your login sequence.
-COPS : Computer Oracle and Password SystemThis nice little program automatically scans your system for misconfigurations and warns you of the weaknesses. Its an an excellent way to systematically check for file permission mistakes.
By following the above steps, you have stopped about 99.8% of all hackers breaking into your system (Just hope you dont meet up with some russian hacker =) You will be invincible on IRC. Considering in all my time with Linux, Ive never been hacked. Peace out.
-Phreak-0 (Phreak_0@hotmail.com)
Thanks to Phreak-0 for that portion.
[16.0.0] Unix Techniques. New and Old.
[16.0.1] ShowMount Technique
This is an old school technique that most hackers don't know. The two commands you need to learn are showmount and mount.
They are used in the following way:
Intercore:~#mount server.com:/remotefolder /localfolder
After you issue the command then do cd /localfolder and you will be on the remote computers shared folder. The remotefolder is the folder of the remote system that you want to mount. The localfolder is where you want the remote folder to appear to be on your system. So if you do mount server:/remote /mnt then when you are on your local system you can do cd /mnt and browse around inside that folder. The contents of that folder will be the contents of the remote folder that you shared.
[16.0.2] DEFINITIONS:
showmount lists all the clients that have remotely mounted a filesystem from host. This
information is maintained by the mountd server on host, and is saved across crashes in the file /etc/rmtab.
-e Print the list of shared file systems.
mount attaches a file system to the file system hierarchy at the mount_point, which is the pathname of a directory. If mount_point has any contents prior to the mount operation, these are hidden until the file system is unmounted.
umount unmounts a currently mounted file system, which may be specified either as a mount_point or as special, the device on which the file system resides.
rhosts The files specify remote hosts and users that are considered trusted. Trusted users are allowed to access the local system without supplying a password. The remote authentication procedure determines whether a user from a remote host should be allowed to access the local system with the identity of a local user. This procedure first checks the /etc/hosts.equiv file and then checks the .rhosts file in the home directory of the local user who is requesting access. Entries in these files can be of two forms. Positive entries allow access, while negative entries deny access. The authentication succeeds when
a matching positive entry is found.
hostname [username]
The special character `+' can be used in place of either hostname or username to match any host or user. For example, the entry
+ +
gives any user at any host access to the shell without supplying a password.
rpcinfo makes an RPC call to an RPC server and reports what it finds. In the first synopsis, rpcinfo lists all the registered RPC services with rpcbind on host.
rpcinfo -p [host]