gsecurety.t35.com/gmail.html
I TAKE NO RESPONSIBILITY WHAT you DO WITH THE INFORMATION PROVIDED IN THIS POST.
Thursday, January 13, 2011
Friday, January 16, 2009
Crack WEP Tutorial WEP cracking [In 10mins]
More Cracking WEP GUIDES and Information From
Intro:
Ok, this is a tutorial explaining how to crack most WEP encrypted Access Points out there. The tools used will be as follows:
Kismet (any working version)
>= Aireplay 2.2 beta
>= Aircrack 2.1
As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the D-Link 650 Rev.1a).
Getting Started:
Let's see, First thing you are going to want to do is charge your lappy to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Whoppix 2.7 final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so. Make sure you have configured your kismet .conf file correctly to be able to use your card (locate your kismet.conf file and open with your favourite text editor, i used pico);
CODE
# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.
# YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
source=orinoco,eth1,kismet
#source=wlanng,wlan0,Prism
#source=kismet_drone,192.168.2.252:3501,kismet_drone
^^ that is an example of part of my kismet.conf, initially that was wrong for me, i had to comment out the first line and uncomment the second (my wireless device name was wlan0, you can find this out by typing 'iwconfig' in a terminal).
Note: To find your cards chipset have a good google on the model number of your card or try checking here http://www.linux-wlan.org/docs/wlan_adapters.html.gz . A full list of supported chipsets can
be found on the Kismet website under Documentation.
Changed kismet.conf:
CODE
# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.
# YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
#source=orinoco,eth1,kismet
source=wlanng,wlan0,Prism
#source=kismet_drone,192.168.2.252:3501,kismet_drone
Save the changes you make and go back to a terminal and run 'kismet', it should load up if you configd it properly. Once you have got kismet going, have a good stumble around your area, to see if a WLAN has WEP enabled, kismet should have a column near the ESSID titled with 'W' if it has WEP enabled it will have a Y, if not it will be a N.
Going in for the kill:
So now you got a target you are going to make sure you dont look suspicious and you got at least 15mins worth of battery life left Razz. Making sure you know the channel the Access Point is on (under the CH cloumn in kismet) and also the mac address of the Access Point by hiting 's' (to sort) then scrolling to the desired Access Point and then typing 'i' which gives you detailed info on the Access Point selected.
First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:
CODE
If you use madwifi, you may have to place the card in
pure 802.11b mode first:
iwpriv ath0 mode 2
If you use wlan-ng, run
./wlanng.sh start wlan0 [comes with AirePlay2.2]
Otherwise run:
iwconfig ath0 mode Monitor channel
ifconfig ath0 up
Read the AirePlay2.2 readme for more info.
Start by opening up another terminal window and cd into your aircrack directory and launch airodump:
Code:
#./airodump
[version crap]
usage: ./airodump
Intro:
Ok, this is a tutorial explaining how to crack most WEP encrypted Access Points out there. The tools used will be as follows:
Kismet (any working version)
>= Aireplay 2.2 beta
>= Aircrack 2.1
As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the D-Link 650 Rev.1a).
Getting Started:
Let's see, First thing you are going to want to do is charge your lappy to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Whoppix 2.7 final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so. Make sure you have configured your kismet .conf file correctly to be able to use your card (locate your kismet.conf file and open with your favourite text editor, i used pico);
CODE
# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.
# YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
source=orinoco,eth1,kismet
#source=wlanng,wlan0,Prism
#source=kismet_drone,192.168.2.252:3501,kismet_drone
^^ that is an example of part of my kismet.conf, initially that was wrong for me, i had to comment out the first line and uncomment the second (my wireless device name was wlan0, you can find this out by typing 'iwconfig' in a terminal).
Note: To find your cards chipset have a good google on the model number of your card or try checking here http://www.linux-wlan.org/docs/wlan_adapters.html.gz . A full list of supported chipsets can
be found on the Kismet website under Documentation.
Changed kismet.conf:
CODE
# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.
# YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
#source=orinoco,eth1,kismet
source=wlanng,wlan0,Prism
#source=kismet_drone,192.168.2.252:3501,kismet_drone
Save the changes you make and go back to a terminal and run 'kismet', it should load up if you configd it properly. Once you have got kismet going, have a good stumble around your area, to see if a WLAN has WEP enabled, kismet should have a column near the ESSID titled with 'W' if it has WEP enabled it will have a Y, if not it will be a N.
Going in for the kill:
So now you got a target you are going to make sure you dont look suspicious and you got at least 15mins worth of battery life left Razz. Making sure you know the channel the Access Point is on (under the CH cloumn in kismet) and also the mac address of the Access Point by hiting 's' (to sort) then scrolling to the desired Access Point and then typing 'i' which gives you detailed info on the Access Point selected.
First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:
CODE
If you use madwifi, you may have to place the card in
pure 802.11b mode first:
iwpriv ath0 mode 2
If you use wlan-ng, run
./wlanng.sh start wlan0
Otherwise run:
iwconfig ath0 mode Monitor channel
ifconfig ath0 up
Read the AirePlay2.2 readme for more info.
Start by opening up another terminal window and cd into your aircrack directory and launch airodump:
Code:
#./airodump
[version crap]
usage: ./airodump
Wednesday, December 17, 2008
Denial-Of-Services Attack - Detailed Explanation
Demystifying Denial-Of-Service attacks, part one By Admin @ Techmaifas. This paper provides an introduction to Denial of Service (DoS) attacks, their methodologies, common prevention techniques, and how they differ from Distributed Denial of Service (DDoS) Attacks. This article is intended to be a broad overview for the beginner or intermediate-level administrator on the different types of DoS attacks.
1. Definitions
We begin by defining Denial of Service and Distributed Denial of Service.
1.1 What is a DoS?
As the name implies, DoS is a Denial of Service to a victim trying to access a resource. In many cases it can be safey said that the attack requires a protocol flaw as well as some kind of network amplification.
Denial of Services is also an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services through the the consumption of bandwidth of the victim network, or the overloading the computational resources of the victim system. (see the Wikipedia definition)
The motivation for DoS attacks is not to break into a system. Instead, it is to deny the legitimate use of the system or network to others who need its services. One can say that this will typically happen through one of the following means:
1. Crashing the system.
2. Deny communication between systems.
3. Bring the network or the system down or have it operate at a reduced speed which affects productivity.
4. Hang the system, which is more dangerous than crashing since there is no automatic reboot. Productivity can be disrupted indefinitely.
DoS attacks can also be major components of other type of attacks.
1.2 What is a Distributed DoS?
A Distributed DoS (DDoS) is the combined effort of several machines to bring down victim. In many cases there is a master machine that launches the attack to zombie machines that are part of a bot network, as shown below in Figure 1. Some bot networks contain many thousands of machines used to launch an attack.
With DoS and DDos defined, we'll now take a look at attacks that affect the consumption of resources, such as Smurf attacks, and then address attacks like SYN Flood that affect network connectivity.
Note that the consumption of resources is most evident when it involves the exploitation of bandwidth, CPU usage, memory, disk space, or access to other computers and resources.
2. Bandwidth exhaustion attacks
A bandwidth exhaustion attack is where an attacker tries to consume the available bandwidth of a network by sending a flood of packets. This is most often accomplished with the help of several other machines. There is soon a flood of malicious nonsense packets on the network in large quantity, whereby the chances of survival of any good, legitimate packets becomes remote. Eventually the network becomes choked with these packets, and the network is effectively cutoff from the Internet and services are denied.
An ideal example of a bandwidth exhaustion attack would be Smurf attacks. Consider a scenario with an ISP and three clients, as shown below in Figure 2. In this scenario, the ISP receives extensive traffic for client 2 on its backbone. Since the connection to client 2 is of limited capacity and smaller than the ISP's backbone, it can't push all the data received for client 2 through the link to client 2. Therefore it will start to drop packets, and the TCP connections will lead to retransmissions of the lost/dropped packets. There will be a time when a legitimate host wants to connect to Client 2's network, but this will timeout and hence a DoS will occur.
2.1 Smurf Attack
Named after a popular program which generates this attack, an ICMP echo request is sent to a broadcast network address (acting as an amplifying agent) with the source address of the victim spoofed. This results in a storm of replies from that network which, if large enough, has the power to take the victim's network down. It is to be noted that there is not much a victim can do about this attack since the link is simply overloaded with packets.
There are always three parts of a Smurf Attack:
1. Attacker
2. Amplifier - a router
3. Victim
This attack succeeds because the amplifier is misconfugred to forward the directed broadcasts.
Suppose the address range 172.30.164.0 to 172.30.164.255 is assigned to a company which has an amplifier, and an attacker sends packets with destination 172.20.164.255. All the routers and systems from attacker to the amplifier will not see the difference between this IP and 172.30.164.10 (an IP from the range). The packet reaches the amplifier and the amplifier notices that this is the broadcast address, so it forwards the request to all the systems on the network/subnet. This is known as directed broadcast.
The two crucial components of this attack were:
1. A misconfigured router forwarding the broadcast request to the subnet.
2. Machines that will respond to this ICMP broadcast request.
Going deeper we can see that the amplifier also makes itself and its network a victim of this attack.
Victims are typically chosen by attackers from IRC where bots (automated programs) are kept to look for the address of victims. Hackers often exchange the information about amplifiers with each other so when a mass attack takes palce it usually appears to come from all over the globe.
Powertech provides realtime statistics of the top amplifiers currently on the Internet.
Below is a typical depiction of the dumps at the Victim. These are ICMP Echo replies received at the Victim's end. Then Figure 3 provides an overview of a Smurf attack.
2.2 How to protect against Smurf attacks
Step 1. Amplifier Configuration. The router should be configured so that it does not forward directed broadcasts onto networks. It is important to note that the broadcast has to be disabled on all the routers and not merely just the external ones. Command "no ip directed-broadcast" on Cisco routers should do the job in most cases. This will also ensure that employees on the internal network won't be able to launch Smurf attacks. However it is also advisable that one has a filtering device (such as a firewall) on the perimeter, thereby providing an extra layer of security.
Step 2. Configure the server operating systems. Servers should be configured so that they will not respond to a directed broadcast request. FreeBSD is one such system which by default does not respond to this request. Other systems can be similarly configured, and this will be discussed in the next section.
Step 3. Victim issues. As mentioned earlier, not much can be done at the victim's end and damage will be done unless victim's ISP takes some actions to block these ICMP Echo Reply floods. Even if the victim's parameter router denies the ICMP Echo Reply, the link from the ISP to the victim's site will suffer.
2.3 ICMP Ping Flood attacks
Ping Floods are where an attacker floods the victim's network with large number of ICMP Echo Requests - such as by flooding the network as fast as possible. In this scenario, filtering the incoming packets might help, however, if the victim is on a modem instead of a high-speed connection, nothing can be done. However the catch in this attack is that if not done properly the attacker can also be counter-attacked, so he needs to be on a faster network than the victim. In most cases, mitigating this attack involves isolating spoofed IPs. This attack is easy to peform since there are many tools on Internet and little knowledge is required to execute a ping flood.
2.4 Fraggle attacks
A Fraggle attack is a Smurf variant that uses UDP instead of ICMP. In this case, the ports echo, chargen, daytime, qotd are used to trigger responses. These ports are also susceptible to a pingpong attack, and therefore these serves should be turned off or blocked.
3. Network connectivity attacks
These attacks overload the victim so that its TCP/IP stack is not able to handle any further conections, and processing queues are completely full with nonsense malicious packets. As a consequence of this attack, legitimate connections are denied. One classic example of a network connectivity attack is a SYN Flood.
3.1 Example: SYN Flood attacks
A SYN Flood is where an attacker sends packets with a spoofed source IP Address and a TCP SYN Flag set to the server (victim). Let's first assume that the attacker knows which ports are open on the server. Since the source IP is spoofed, the response sent to the SYN packet by the server will never receive a reply back. The server will keep waiting until it times out. If this happens for a very large number of connections the result will be a DoS, since the server won't be available for any legitimate connections and its resources will be choked.
As will be shown, this attack exploits a vulnerability of the TCP protocol, by the way in which the TCP three-way connection is established. This is shown below in Figure 4.
3.2 Protecting against SYN Flood attacks
There are several things that can be done to protect against SYN Flood attacks.
1. Decrease the TCP Connection Timeout on the victim server.
2. Use a filtering device, like a firewall, at the perimeter which works as an intermediary in forwarding the connections to the server.
Use of a server farm: this can also help in fighting the SYN Flood since you will have number of the servers to answer the request, but this also has limitations and overhead considerations.
A detailed article on SYN Flood protection by Mariusz Burdach was previously published on SecurityFocus. Therefore, only a short overview of SYN Flood protection will be discussed in this section.
3.2.1 Protecting Microsoft Windows from a SYN Flood attack
Microsoft Windows has a mechanism to detect and start SYN Flood protection. The SYN flooding attack protection feature detects symptoms of SYN flooding and responds by reducing the time the server spends on connection requests that it cannot acknowledge.
Specifically, TCP shortens the required interval between SYN-ACK (connection request acknowledgements) retransmissions. TCP retransmits SYN-ACKS when they are not answered. As a result, the allotted number of retransmissions is consumed more quickly and the unacknowledgeable connection request is discarded faster.
When enabled, the system monitors the connections maintained by TCP and starts the SYN attack flooding protection when the any of the following conditions, symptomatic of SYN flooding, are found:
* The total number of connections in the half-open (SYN-RCVD) state exceeds the value of TcpMaxHalfOpen
* The number of connections that remain in the half-open (SYN-RCVD) state even after a connection request has been retransmitted exceeds the value of TcpMaxHalfOpenRetried
* The number of connection requests the system refuses exceeds the value of TcpMaxPortsExhausted. The system must refuse all connection requests when its reserve of open connection ports runs out.
Microsoft suggests the following registry settings:
3.2.2 Check Point protections against a SYN Flood attack
In the first scenario, we look at Check Point as a simple proxy to the victim server. This is shown below in Figure 5.
In this scenario Check Point acts a proxy to the server and responds to all the requests sent to the server. A request is forwarded to the server only if there is a corresponding ACK. The drawback of this configuration is that normally a perimeter firewall is very heavily loaded and this configuration will induce further load on it. The advantage is that the server will always be free to only take legitimate connections.
In the second scenario, we look at Check Point preventing a SYN Flood attack while residing in a transparent proxy configuration. This is shown below in Figure 6.
Here Check Point passes all the connections, irrespective of whether they are legitimate or not, to the server but also starts a timer once it sees a ACK/SYN from the server. If there is no corresponding ACK from the Client and the timer expires, the firewall will send a RST to the server thereby preventing its queue from overflowing with illegitimate connections. The advantage of this configuration is that load on firewall is reduced considerably as compared to previous configuration. The drawback, however, is that now the server sees all the connection attempts.
4. Conclusion
In this article we've defined DoS and DDoS and looked at attacks that affect the consumption of bandwidth: Smurf attacks, ICMP ping floods, and Fraggle attacks. We've also taken a first look at attacks that affect network connectivity, such as SYN Flood attacks and some of the ways to prevent them.
Next time in part two, we'll look at the consumption of other precious resources such as CPU time, disk space, memory utilization, and then examine any vulnerable printers that may be DoS attack vectors on the network. We'll also discuss Teardrop attacks, LAND attacks, Ping-of-death, and finally discuss some common Win32 worms that have been used to build botnets that perform broad DDoS attacks. Finally, we'll discuss mitigation techniques and best practices for preventing DoS attacks. Stay tuned.
1. Definitions
We begin by defining Denial of Service and Distributed Denial of Service.
1.1 What is a DoS?
As the name implies, DoS is a Denial of Service to a victim trying to access a resource. In many cases it can be safey said that the attack requires a protocol flaw as well as some kind of network amplification.
Denial of Services is also an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services through the the consumption of bandwidth of the victim network, or the overloading the computational resources of the victim system. (see the Wikipedia definition)
The motivation for DoS attacks is not to break into a system. Instead, it is to deny the legitimate use of the system or network to others who need its services. One can say that this will typically happen through one of the following means:
1. Crashing the system.
2. Deny communication between systems.
3. Bring the network or the system down or have it operate at a reduced speed which affects productivity.
4. Hang the system, which is more dangerous than crashing since there is no automatic reboot. Productivity can be disrupted indefinitely.
DoS attacks can also be major components of other type of attacks.
1.2 What is a Distributed DoS?
A Distributed DoS (DDoS) is the combined effort of several machines to bring down victim. In many cases there is a master machine that launches the attack to zombie machines that are part of a bot network, as shown below in Figure 1. Some bot networks contain many thousands of machines used to launch an attack.
With DoS and DDos defined, we'll now take a look at attacks that affect the consumption of resources, such as Smurf attacks, and then address attacks like SYN Flood that affect network connectivity.
Note that the consumption of resources is most evident when it involves the exploitation of bandwidth, CPU usage, memory, disk space, or access to other computers and resources.
2. Bandwidth exhaustion attacks
A bandwidth exhaustion attack is where an attacker tries to consume the available bandwidth of a network by sending a flood of packets. This is most often accomplished with the help of several other machines. There is soon a flood of malicious nonsense packets on the network in large quantity, whereby the chances of survival of any good, legitimate packets becomes remote. Eventually the network becomes choked with these packets, and the network is effectively cutoff from the Internet and services are denied.
An ideal example of a bandwidth exhaustion attack would be Smurf attacks. Consider a scenario with an ISP and three clients, as shown below in Figure 2. In this scenario, the ISP receives extensive traffic for client 2 on its backbone. Since the connection to client 2 is of limited capacity and smaller than the ISP's backbone, it can't push all the data received for client 2 through the link to client 2. Therefore it will start to drop packets, and the TCP connections will lead to retransmissions of the lost/dropped packets. There will be a time when a legitimate host wants to connect to Client 2's network, but this will timeout and hence a DoS will occur.
2.1 Smurf Attack
Named after a popular program which generates this attack, an ICMP echo request is sent to a broadcast network address (acting as an amplifying agent) with the source address of the victim spoofed. This results in a storm of replies from that network which, if large enough, has the power to take the victim's network down. It is to be noted that there is not much a victim can do about this attack since the link is simply overloaded with packets.
There are always three parts of a Smurf Attack:
1. Attacker
2. Amplifier - a router
3. Victim
This attack succeeds because the amplifier is misconfugred to forward the directed broadcasts.
Suppose the address range 172.30.164.0 to 172.30.164.255 is assigned to a company which has an amplifier, and an attacker sends packets with destination 172.20.164.255. All the routers and systems from attacker to the amplifier will not see the difference between this IP and 172.30.164.10 (an IP from the range). The packet reaches the amplifier and the amplifier notices that this is the broadcast address, so it forwards the request to all the systems on the network/subnet. This is known as directed broadcast.
The two crucial components of this attack were:
1. A misconfigured router forwarding the broadcast request to the subnet.
2. Machines that will respond to this ICMP broadcast request.
Going deeper we can see that the amplifier also makes itself and its network a victim of this attack.
Victims are typically chosen by attackers from IRC where bots (automated programs) are kept to look for the address of victims. Hackers often exchange the information about amplifiers with each other so when a mass attack takes palce it usually appears to come from all over the globe.
Powertech provides realtime statistics of the top amplifiers currently on the Internet.
Below is a typical depiction of the dumps at the Victim. These are ICMP Echo replies received at the Victim's end. Then Figure 3 provides an overview of a Smurf attack.
Code:
10:10:17.100000 172.30.164.1 > victim: icmp: echo reply 10:10:18.300000 172.30.164.76 > victim: icmp: echo reply 10:10:18.310000 172.30.164.10 > victim: icmp: echo reply 10:10:19.110000 172.30.164.223 > victim: icmp: echo reply 10:11:09.190000 172.30.164.51 > victim: icmp: echo reply 10:11:09.240000 172.30.164.18 > victim: icmp: echo reply 10:11:10.110000 172.30.164.98 > victim: icmp: echo reply 10:11:10.600000 172.30.164.18 > victim: icmp: echo reply 10:11:10.790000 172.30.164.240 > victim: icmp: echo reply
2.2 How to protect against Smurf attacks
Step 1. Amplifier Configuration. The router should be configured so that it does not forward directed broadcasts onto networks. It is important to note that the broadcast has to be disabled on all the routers and not merely just the external ones. Command "no ip directed-broadcast" on Cisco routers should do the job in most cases. This will also ensure that employees on the internal network won't be able to launch Smurf attacks. However it is also advisable that one has a filtering device (such as a firewall) on the perimeter, thereby providing an extra layer of security.
Step 2. Configure the server operating systems. Servers should be configured so that they will not respond to a directed broadcast request. FreeBSD is one such system which by default does not respond to this request. Other systems can be similarly configured, and this will be discussed in the next section.
Step 3. Victim issues. As mentioned earlier, not much can be done at the victim's end and damage will be done unless victim's ISP takes some actions to block these ICMP Echo Reply floods. Even if the victim's parameter router denies the ICMP Echo Reply, the link from the ISP to the victim's site will suffer.
2.3 ICMP Ping Flood attacks
Ping Floods are where an attacker floods the victim's network with large number of ICMP Echo Requests - such as by flooding the network as fast as possible. In this scenario, filtering the incoming packets might help, however, if the victim is on a modem instead of a high-speed connection, nothing can be done. However the catch in this attack is that if not done properly the attacker can also be counter-attacked, so he needs to be on a faster network than the victim. In most cases, mitigating this attack involves isolating spoofed IPs. This attack is easy to peform since there are many tools on Internet and little knowledge is required to execute a ping flood.
2.4 Fraggle attacks
A Fraggle attack is a Smurf variant that uses UDP instead of ICMP. In this case, the ports echo, chargen, daytime, qotd are used to trigger responses. These ports are also susceptible to a pingpong attack, and therefore these serves should be turned off or blocked.
3. Network connectivity attacks
These attacks overload the victim so that its TCP/IP stack is not able to handle any further conections, and processing queues are completely full with nonsense malicious packets. As a consequence of this attack, legitimate connections are denied. One classic example of a network connectivity attack is a SYN Flood.
3.1 Example: SYN Flood attacks
A SYN Flood is where an attacker sends packets with a spoofed source IP Address and a TCP SYN Flag set to the server (victim). Let's first assume that the attacker knows which ports are open on the server. Since the source IP is spoofed, the response sent to the SYN packet by the server will never receive a reply back. The server will keep waiting until it times out. If this happens for a very large number of connections the result will be a DoS, since the server won't be available for any legitimate connections and its resources will be choked.
As will be shown, this attack exploits a vulnerability of the TCP protocol, by the way in which the TCP three-way connection is established. This is shown below in Figure 4.
3.2 Protecting against SYN Flood attacks
There are several things that can be done to protect against SYN Flood attacks.
1. Decrease the TCP Connection Timeout on the victim server.
2. Use a filtering device, like a firewall, at the perimeter which works as an intermediary in forwarding the connections to the server.
Use of a server farm: this can also help in fighting the SYN Flood since you will have number of the servers to answer the request, but this also has limitations and overhead considerations.
A detailed article on SYN Flood protection by Mariusz Burdach was previously published on SecurityFocus. Therefore, only a short overview of SYN Flood protection will be discussed in this section.
3.2.1 Protecting Microsoft Windows from a SYN Flood attack
Microsoft Windows has a mechanism to detect and start SYN Flood protection. The SYN flooding attack protection feature detects symptoms of SYN flooding and responds by reducing the time the server spends on connection requests that it cannot acknowledge.
Specifically, TCP shortens the required interval between SYN-ACK (connection request acknowledgements) retransmissions. TCP retransmits SYN-ACKS when they are not answered. As a result, the allotted number of retransmissions is consumed more quickly and the unacknowledgeable connection request is discarded faster.
When enabled, the system monitors the connections maintained by TCP and starts the SYN attack flooding protection when the any of the following conditions, symptomatic of SYN flooding, are found:
* The total number of connections in the half-open (SYN-RCVD) state exceeds the value of TcpMaxHalfOpen
* The number of connections that remain in the half-open (SYN-RCVD) state even after a connection request has been retransmitted exceeds the value of TcpMaxHalfOpenRetried
* The number of connection requests the system refuses exceeds the value of TcpMaxPortsExhausted. The system must refuse all connection requests when its reserve of open connection ports runs out.
Microsoft suggests the following registry settings:
Code:
hkey_local_machine \system \currentcontrolset \services \tcpip \parameters \synattackprotect=1 REG_DWORD hkey_local_machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxconnectresponseretransmissions=2 REG_DWORD hkey_local_machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxdataretransmissions=3 REG_DWORD
In the first scenario, we look at Check Point as a simple proxy to the victim server. This is shown below in Figure 5.
In this scenario Check Point acts a proxy to the server and responds to all the requests sent to the server. A request is forwarded to the server only if there is a corresponding ACK. The drawback of this configuration is that normally a perimeter firewall is very heavily loaded and this configuration will induce further load on it. The advantage is that the server will always be free to only take legitimate connections.
In the second scenario, we look at Check Point preventing a SYN Flood attack while residing in a transparent proxy configuration. This is shown below in Figure 6.
Here Check Point passes all the connections, irrespective of whether they are legitimate or not, to the server but also starts a timer once it sees a ACK/SYN from the server. If there is no corresponding ACK from the Client and the timer expires, the firewall will send a RST to the server thereby preventing its queue from overflowing with illegitimate connections. The advantage of this configuration is that load on firewall is reduced considerably as compared to previous configuration. The drawback, however, is that now the server sees all the connection attempts.
4. Conclusion
In this article we've defined DoS and DDoS and looked at attacks that affect the consumption of bandwidth: Smurf attacks, ICMP ping floods, and Fraggle attacks. We've also taken a first look at attacks that affect network connectivity, such as SYN Flood attacks and some of the ways to prevent them.
Next time in part two, we'll look at the consumption of other precious resources such as CPU time, disk space, memory utilization, and then examine any vulnerable printers that may be DoS attack vectors on the network. We'll also discuss Teardrop attacks, LAND attacks, Ping-of-death, and finally discuss some common Win32 worms that have been used to build botnets that perform broad DDoS attacks. Finally, we'll discuss mitigation techniques and best practices for preventing DoS attacks. Stay tuned.
WinRar Password Remover
RAR Password Recovery is a powerful tool to recover lost (forgotten) passwords for a RAR/WinRAR (2.xx and 3.xx) archives. The program supports the "brute-force" attack, dictionary-based attack and dramatically fastest "Booost-Up" attack. The program is able to resume the previous interrupted attack..
Here is a brief list of RAR Password Recovery advantages:
Recovers passwords for a RAR/WinRAR archives of versions 2.xx and 3.xx using combination of Brute-Force, Booost-Up or Dictionary attacks.
Very high speed of work (more than 3000 passwords per second in Brute-Force mode and up to 22000 passwords per second in Booost-Up mode).
Customizability.
Advanced heuristic processor.
User-friendly interface.
Large wordlist dictionary.
Ability to work in the background.
Autosave feature.
Here is a brief list of RAR Password Recovery advantages:
Recovers passwords for a RAR/WinRAR archives of versions 2.xx and 3.xx using combination of Brute-Force, Booost-Up or Dictionary attacks.
Very high speed of work (more than 3000 passwords per second in Brute-Force mode and up to 22000 passwords per second in Booost-Up mode).
Customizability.
Advanced heuristic processor.
User-friendly interface.
Large wordlist dictionary.
Ability to work in the background.
Autosave feature.
USerful Hack Tools {Best of 2008}
This download would be detected as virus, but dont worry all of the tools have malicious code which will help you to hack. But it wont do anything wrong to your computer.
What does it have?
AddrView.rar
AnonFTP.zip
AOL new.rar
AppToService.rar
arpinject.zip
aspack21.zip
Astaroth Joiner v2.rar
atk-2.1.zip
BankOfAmerica.rar
bios_pass_remover.zip
BlasterW32.zip
blue.zip
bmpripper.zip
brutus.zip
Cable Modem Sniffer.rar
CapKeys_DIGITAL.rar
CASXM138.zip
CAYZODQF.zip
CGI Founder v1.043.zip
cgis4.zip
CGISscan.zip
cia10.zip
cports.rar
craagle.zip
Crackftp.zip
CreditCardGjenerator.rar
Davs_TR_REtail.zip
DDL Sites.rar
DeepUnFreez.zip
DrVBS.zip
eBay.rar
EESBinder.zip
egold.rar
E-mail Cracker.rar
ezDataBase_Defacer.rar
F.B.I - Binder.rar
FTP Brute Forcer.rar
ftpbr.zip
~Censored~ Mail Bomber 2.3.rar
G00B3RS_phpBB_exploit_pack.rar
genxe-beta-0.9.0.zip
Google_Hacker_1.2.rar
grinder1.1.zip
Hack FLASH Template.zip
Hack MY Space.zip
Hack Photoshop CS2.zip
HackersAssistant.zip
HackTheGame.zip
hck.zip
hlboom.zip.zip
Hook Tool Box.rar
Hotmail Email Hacker.rar
Hotmail HAcker Gold.rar
Hotmail ScamPage.zip
HotmailHack.rar
HSBC-US.rar
hydra-4.6-win.zip
iecv.rar
IP2.rar
ipnetinfo.rar
john-17w.zip
Key Changer.rar
Key_Logger.zip
Legion NetBios Scanner v2.1.zip
Mail Boomb_2.0 YAHOO.zip
MIDNITEmassacre.zip
MooreR Port Scanner.rar
MSN Flooder 2.0.rar
MSN Messenger Account Cracker v2.0.rar
MSNLoader.rar
NET BIOS Scaner.rar
NetBIOS Name Scanner.rar
NetResView.rar
NFO Maker 1.0.zip
Nimda.zip
nkedb.zip
nolimitcracker.rar
NTPacker.zip
nts.zip
NullAddFrontend.zip
On-Off MSN.rar
OS Update Hack.rar
P0kes WormGen 2.0.zip
panther.zip
PayPal.rar
PCAnyPass.rar
Php Nuke Hacker v11.0.rar
phpBB Annihilator.rar
phpbb attack.rar
phpbb bruteforcer.rar
PhpBB pass extractor.zip
phpBB_DoS.rar
phpbb_spammer.rar
phpBBAttacker.rar
phpBBAttacker.zip
phpBBcracker.rar
PhpBuGScan.rar
~censored~.rar
PhpNuke_bypass.rar
Ping & Nukes.rar
Port Listener XP.rar
pqwak2.zip
procexp.rar
ProMo.rar
ProxyPro.zip
Pure phpBB Email harvester.rar
rainbowcrack-1.2-src win-lin.zip
Remote Shut Down.rar
ResHacker.zip
Rocket.zip
rpc.zip
RpcScan101.zip
Sasser.zip
SendMailer.zip
Server 2003 Keygen.rar
Server Killer.rar
showpassv10.zip
sitedigger2.zip
smbat-win32bin-1.0.4.zip
SMBdie.zip
smbproxy-win32bin-1.0.0.zip
Source Checker.rar
source codes.rar
sprut.zip
SQLScan v1.0.rar
Stealth - HTTP Scanner v1.0 build 23.zip
super.zip
SuperScan4.rar
tftpd32.273.zip
thunter.zip
TinaSoft KILL.zip
traceroute.rar
UC.Forum Spam.rar
udpflood.zip
Ultra Dos.zip
USBank.rar
Visa Spam.zip
Warez Sites.rar
Web Cracker 2.0.rar
WebCracker 4.0.rar
whoistd.rar
Win XP Activator.rar
WindowHide.rar
Windows XP Corperate Keygen.rar
Windows XP KeyGen.rar
Windows XP Product Key Changer.rar
Windows XP Product Key Checker.rar
Windows XP Product Key Viewer.rar
WindowsAdminpasswordHack.rar
wwwhack.rar
xpass.zip
xplizer.rar
Yahoo Password.zip
yahooUltraCracker.rar
zehir.zip
RapidShare Hacking
U must have noticed many rapidshare account posted on the site... i have got many members asking me how i did it.... so heres the way... enjoy phishing... please remember to share them on the website as we cant change the password.... only owner of the account can change the pass.
1. You will need to have the phishing files which u can download from
2. Once you download these files u will need to upload them to a webhost so everyone can see that here are some list of free webhosts...
3. Now upload all of the files to your webhost.
4. Now one of the files in the download would be "config.php" which will need to edit. So open that file with notepad.
5. Find this text in that file
6. Just make appropriate changes to this code as per the webhost name and the folder where you have uploaded the phishing files.
7. Now here goes the format of the link which u can give to the victim in order to steal their password.
8. Now you're all set... just give this phishing link to the victim which will exactly look like the rapidshare page and even he will download the file whicheva u give the link for... but the only difference would be username and password would be send to you as well 
Additional Tips:-
As you know now you would have long URL's which looks suspicious to advanced users, so what u can do is u can try to shorten the URL with some free websites... here are some examples.
So enjoy RapidShare hacking...
1. You will need to have the phishing files which u can download from
Code:
http://rapidshare.com/files/133074712/D0nt_Angry_TOT_By_Max.rar
Code:
www.freewebs.com www.ripway.com www.247mbhosting.com or any other u know
3. Now upload all of the files to your webhost.
4. Now one of the files in the download would be "config.php" which will need to edit. So open that file with notepad.
5. Find this text in that file
PHP Code:
$website = "http://h1.ripway.com/yourusername/"; //Full Path To Install
$phishingnet="yourPhisherpasswords.txt" //Textfile Where To Store The Accounts
?> 7. Now here goes the format of the link which u can give to the victim in order to steal their password.
Code:
http://yourname.Phisherhost.com/rapidshare/download.php?link=[some_real_rapidsharelink]&size=[size_of_the_file]
Additional Tips:-
As you know now you would have long URL's which looks suspicious to advanced users, so what u can do is u can try to shorten the URL with some free websites... here are some examples.
Code:
http://snurl.com/site/index http://hide-url.net/ http://www.protectlinks.com/ http://rapidsafe.de/ http://www.shorturl.com
Saturday, December 13, 2008
FireMaster The Firefox Master Password Recovery Too
| History | ||||||||||||||
| Version 3.1: 28th Sep 2008 | ||||||||||||||
| Fixed the bug in recovering the master password for Iceweasel which is browser derived from Firefox. | ||||||||||||||
| Version 3.0: 29th July 2008 | ||||||||||||||
| Support for Firefox version 3.0, now you can recover the master password of latest version of Firefox. The differences in reading the Firefox key database file is resolved. | ||||||||||||||
| Kudos to the Firefox crew for yet another beautiful version of Firefox...! | ||||||||||||||
| Version 2.5: 22nd March 2008 | ||||||||||||||
| Pattern based brute force password recovery method is implemented which reduces the time considerably when certain part of the password is already known. Also minimum length of password can be specified which improves the recovery time greatly. | ||||||||||||||
| Usage is simplified by forcing one crack method at a time and providing better meaningful options. Fixed the bug in displaying statistics and now it displays the remaining time accurately based on the current speed which is computed dynamically. | ||||||||||||||
| Thanks for your suggestions and feedbacks... | ||||||||||||||
| Version 2.2: 8th July 2006 | ||||||||||||||
| FireMaster source code is released under GPL v2. | ||||||||||||||
| Version 2.1: 18th June 2006 | ||||||||||||||
| Tested successfully with latest version 1.5.0.4 of Firefox. | ||||||||||||||
| Statistics display during the operation is improved. | ||||||||||||||
| Version 2.0: 25th Feb 2006 | ||||||||||||||
| First public release of FireMaster SOURCE code. | ||||||||||||||
| Now it works at amazing speed of 50k passwords per second on normal m/c. | ||||||||||||||
| Firefox library dependency is removed completely. | ||||||||||||||
| For brute force, speed and time is displayed during operation. | ||||||||||||||
| Lots of optimizations and few bug fixes. | ||||||||||||||
| Thanks to 'T Barton' for reporting the bug with 1.5 version. | ||||||||||||||
| Version 1.5: 14th Jan 2006 | ||||||||||||||
| Bug in parsing key3.db fixed. | ||||||||||||||
| Displaying results during recovery operation. | ||||||||||||||
| Speed is doubled compared to the original version. | ||||||||||||||
| Version 1.0: 1st Jan 2006 | ||||||||||||||
| First public release of FireMaster. | ||||||||||||||
| About FireMaster | ||||||||||||||
Firemaster is the Firefox master password recovery tool. Firefox uses master password to protect the stored sign-on information for various websites. If the master password is forgotten, then there is no way to recover the master password and user has to lose all the sign-on information stored in it. To prevent this problem, I have developed FireMaster which uses combination of techniques such as dictionary, hybrid and brute force to recover the master password from the Firefox key database file. | ||||||||||||||
| About Firefox Password Manager and Master Password | ||||||||||||||
Firefox comes with built-in password manager tool which remembers username and passwords for all the websites you visit. This sign-on information is stored in the encrypted form in Firefox database files residing in user's profile directory. However any body can just launch the password manager from the Firefox browser and view the credentials. Also one can just copy these database files to different machine and view it offline using the tools such as FirePassword. | ||||||||||||||
Hence to protect from such threats, Firefox uses master password to provide enhanced security. By default Firefox does not set the master password. However once you have set the master password, you need to provide it every time to view sign-on credentials.So if you have lost the master password, then you have lost all the stored credentials as well. | ||||||||||||||
So far there was no way to recover these credentials once you have lost the master password. Now the FireMaster can help you to recover the master password and get back all the sign-on information. | ||||||||||||||
| Internals of FireMaster | ||||||||||||||
Once you have lost master password, there is no way to recover it as it is not stored at all. Whenever user enters the master password, Firefox uses it to decrypt the encrypted data associated with the known string. If the decrypted data matches this known string then the entered password is correct. FireMaster uses the similar technique to check for the master password, but in more optimized way. The entire operation goes like this. | ||||||||||||||
| ||||||||||||||
Firefox stores the details about encrypted string, salt, algorithm and version information in key database file key3.db in the user's profile directory. You can just copy this key3.db file to different directory and specify the corresponding path to FireMaster. You can also copy this key3.db to any other high end machine for faster recovery operation. | ||||||||||||||
| FireMaster supports following password generation methods | ||||||||||||||
| 1) Dictionary Method | ||||||||||||||
In this mode, FireMaster uses dictionary file having each word on separate line to perform the operation. You can find lot of online dictionary with different sizes and pass it on to Firemaster. This method is more quicker and can find out common passwords. | ||||||||||||||
| 2) Hybrid Method | ||||||||||||||
This is advanced dictionary method, in which each word in the dictionary file is prefixed or suffixed with generated word from known character list. This can find out password like pass123, 12test, test34 etc. From the specified character list (such as 123), all combinations of strings are generated and appended or prefixed to the dictionary word based on user settings. | ||||||||||||||
| 3) Brute Force Method | ||||||||||||||
In this method, all possible combinations of words from given character list is generated and then subjected to cracking process. This may take long time depending upon the number of characters and position count specified. | ||||||||||||||
| How to use FireMaster? | ||||||||||||||
| First you need to copy the key3.db file to temporary directory. Later you have to specify this directory path for FireMaster as a last argument. Here is the general usage information | ||||||||||||||
| Firemaster [-q] [-d -f [-h -f [-b -m | ||||||||||||||
| Dictionary Crack Options: | ||||||||||||||
| ||||||||||||||
| Hybrid Crack Options: | ||||||||||||||
| ||||||||||||||
| Brute Force Crack Options: | ||||||||||||||
| ||||||||||||||
| Sample Usage Information | ||||||||||||||
| // Dictionary Crack | ||||||||||||||
| FireMaster.exe -d -f c:\dictfile.txt Firefox_Profile_Path | ||||||||||||||
| // Hybrid Crack | ||||||||||||||
| FireMaster.exe -h -f c:\dictfile.txt -n 3 -g "123" -s Firefox_Profile_Path | ||||||||||||||
| // Brute Force Crack | ||||||||||||||
| FireMaster.exe -q -b -m 3 -c "abyz126" -l 10 -p "pa??f??123" Firefox_Profile_Path | ||||||||||||||
Here Firefox_Profile_Path refers to the directory where key3.db file is present. This points to the Firefox profile directory (Ex: C:\Documents and Settings\ | ||||||||||||||
Quiet mode ( -q option ) will disable printing each password while recovery is in progress. This makes it much faster especially for brute force operation. However during brute force operation if the password count exceeds 50000 passwords then it automatically enters the quiet mode. | ||||||||||||||
Hybrid method tries normal dictionary password as well as password created by appending/prefixing the generated strings to the dictionary word. For example if the dictionary word is "test" and you have specified character set as '123' (-c 123 -s) then the new passwords will be test1, test12, test123, test32 etc. | ||||||||||||||
Character list (-g for hybrid and -c for brute force) specifies the characters to be used for generating passwords. If you don't specify then the default character list is used. For brute force -m indicates the minimum length of password to be generated. This can reduce the generated passwords and hence the time considerably when large number of character set is specified. Similarly -l (small 'L') specifies the maximum length of password to be generated. For example, if you specify -m 6 and -l 8 then only passwords which are of length at least 6 and above but below 8 will be generated. Now you can reduce the password cracking time significantly using pattern based password recovery mechanism. If you know that password is of certain length and also remember few characters then you can specify that pattern for brute force cracking. For example, assume that you have set the master password of length 12 and it begins with 'fire' and ends with '123' then command will look like below | ||||||||||||||
| FireMaster.exe -b -c "abyz" -l 12 -p "fire?????123" c:\testpath | ||||||||||||||
| This will reduce the time to seconds which otherwise would have taken days or hours to crack that password. You can even crack the impossible looking passwords using the right pattern. | ||||||||||||||
| FireMaster in Action | ||||||||||||||
 | ||||||||||||||
| FireMaster and FireFox | ||||||||||||||
FireMaster is tested with latest Firefox version 3.0 and should work with any Firefox having version 1.0 or more. If the FireMaster failed to work with your Firefox then please send me the key3.db and cert8.db (required for older versions) files which are present in your Firefox profile directory. Note that sign-on credentials are stored in the signons.txt file and key3.db just contains the master password related information. So even if some one knows your master password it will be useless unless he/she has access to signons.txt file. | ||||||||||||||
| Disclaimer | ||||||||||||||
FireMaster is designed with good intention to recover the lost master password so that every one keep enjoying their experience with Firefox. Like any other tool its use either good or bad, depends upon the user who uses it. However author is not responsible for damages or impact caused due to misuse of FireMaster. | ||||||||||||||
| Acknowledgement | ||||||||||||||
| Thanks to the Mozilla-Firefox crew for making such an excellent, beautiful, free browser. Thanks to everyone who shared their experience with FireMaster and sending the valuable feedbacks and suggestions. | ||||||||||||||
| Download FireMaster | ||||||||||||||
If you want to build the FireMaster from the source then you need to download the Gecko SDK from Mozilla website. FireMaster 3.1 binary & source download | ||||||||||||||
| See Also | ||||||||||||||
| Using FireMaster with pattern based recovery technique | ||||||||||||||
| FirePassword: The Firefox Username & Password List Decryptor | ||||||||||||||
| NetShareMonitor: Monitor your shares from intruders. | ||||||||||||||
| Recover Windows password in seconds using Rainbow crack. |
Subscribe to:
Posts (Atom)
