Transcript User Attacks

WARNING !
The system is either busy or has been unstable. You can wait and
See if it becomes available again, or you can restart your computer.
* Press any key to return to Windows and wait.
* Press CTRL+ALT+DEL again to restart your computer. You will
Lose unsaved information in any programs that are running.
Press any key to continue.
Group 4 Presents:
Carl the Happy Chatter
But not for long….
Carl Morris
Andrew Snyder
Ken Nguyen
Dec 4 2000
User Attacks
User Attacks
What is it?
• An attack mounted against an end user of
the Internet
Goals of an attacker
• Obtain access to systems
• Eavesdrop on communications
• Aggravate and annoy a household user
• Cause damage!
Anything to annoy an end user
Context of Discussion
• Not meant to apply to “computer
geeks”
• Applies to average end user
• Attacks mounted easily by attackers
with limited computer knowledge
Methods of choice
• Performed a search for phrases such as
“How to find Windows NT passwords,”
“Hacking into Computers” & “Easy
Hacking”
• Used our own past experiences
(world & class)
• Our own interests
We decided...
• The Big Three:
– Denial of Service (DoS)
– Packet Sniffing
– Back Orifice 2000
What is DoS?
• Attacker consumes limited resources
on victim’s machine
– CPU time
– memory
– bandwidth
DoS
• Easy DoS Attack
– Ping Flooding
– Ping of Death
– WinNuke
Ping Flooding
• What is Ping Flooding?
– Sending huge amounts of ICMP Echo
Requests
• Used legitimately to test your connection
Ping Flooding (cont.)
• Ping Flooding’s impact
– Ties up victim’s bandwidth
– Forces dialup users to disconnect
– May cause victim’s machine to crash
Ping Flooding (cont.)
• Ping Flooding is Hard!
– Need to know victim’s IP
• Easily obtained from ICQ, IRC, message
forums, etc...
– Must type
“ping destination_IP –t –l huge#”
Ping of Death
• What is Ping of Death?
– Carl receives a packet of illegal size
– Carl’s computer crashes 
Ping of Death (cont.)
• Ping of Death is also very hard
– Must type
“ping destination_IP –l 65550”
WinNuke
• What is WinNuke?
– Takes advantage of Window’s Out of
Band (OOB) bug
– Carl receives a pointer that is invalid
– Carl’s computer crashes 
WinNuke
• WinNuke is also very hard
Protect yourself
• Ping of Death & WinNuke
– Get patches for your appropriate OS to
prevent overflow/pointer error
Protect yourself
• Ping Flooding
– Sets computer not to echo back, cuts by
50%
– Call your ISP, or set up your own firewall
– Stop it before it start: Do not give out
your IP!
What Is Packet Sniffing?
• Packet sniffing is eavesdropping on
network traffic.
• It consists of capturing packets on the
network and analyzing them to obtain
information.
What Is in a Packet?
• Source and Destination (MAC)
• A packet can contain information
ranging from web addresses to
passwords.
• However, it is all in binary form,
and requires a protocol analyzer
to make sense of it all.
MAC
• Each Ethernet card contains a 48-bit identifier
– Media Access Control
• The first 24 bits identify the vendor
• The last 24 bits identify the card
• To find out your MAC:
Win9x – winipcfg.exe
WinNT – ipconfig /all
Linux – ifconfig
How Is Packet Sniffing Used?
•
Packets are captured.
-- Promiscuous mode
•
Packets are analyzed.
-- Protocol analyzer
(LanSleuth, Neptune, Ethereal)
Malicious Effects
• Websites
• Passwords
• Any unencrypted information sent over
the network
(Messages, Files)
Ease of Use
• Network Protocol Analyzers
LanSleuth, Ethereal, Neptune, snoop
• Easy installation and configuration
• Some analyzers require administrative
permissions
Examples
• Packet captured using Ethereal
Analyzing
• Packet entered into Ethereal Decode
Preventions
• Encrypt all transfers
SSL – Secure Socket Language
SSH – Secure Shell
VPN – Virtual Private Networks
Detections
• In theory – impossible
• In practice – possible sometimes
• Stand-alone packet sniffers don’t
transfer packets
• Non-standard generate traffic (DNS
reverse lookups in order to find names
associated with IP addresses)
Ping Method
• Send a request
• Nobody should respond
• Response --> Sniffer!
Packet Sniffing Re-visited
• Packets are “captured” on the network
• They are then analyzed
- Passwords
- Web sites
• Impossible to stop
• Difficult to detect
Back Orifice 2000
What is it?
“The most powerful network administration tool
available for the Microsoft environment”
How is it used?
• An “administrator”
–
–
–
–
creates a custom server file
installs this server on the target machine
connects to the target machine
perform various functions
Back Orifice 2000
Malicious effects
A malicious attacker can:
• Install the server on victim’s machine
• Take over computer
– Logging keystrokes
– Rebooting
– Viewing
• cached passwords
• the active screen
• etc
Ease of use
• In the next few minutes, I will show
you how to use BO2K
Back Orifice 2000
Create a server file…
Back Orifice 2000
Create a server file… (continued)
Back Orifice 2000
Time to connect
Back Orifice 2000
Some stuff…
Back Orifice 2000
Plugins
• Encryption (AES, IDEA, RC6,
Serpent)
• Communications
• Server Enhancement
• Client Enhancement
Back Orifice 2000
BO Peep Plugin
Back Orifice 2000
BO Tools Plugin
Prevention
Measures
Umgr32.Exe anyone ?
1) Antivirus
2) firewall
3) don’t trust anyone
4) look for umgr32.Exe (or registry) on
your computer
5) Microsoft: get a clue
Summary
• Many user attacks are so easy that
even your mom could figure them
out
• Some attacks can’t be protected
against based on current network
protocol and system architecture
• Microsoft needs to tighten up
security on their products
Conclusion
• Are you safe?
• That kid next door could be screwing
with you right now.
• You could be a victim of user attacks
and not even know it.
• Practice online safety measures.
• You are not invincible:
Don’t take security for granted
Questions