💾 Archived View for aphrack.org › issues › phrack56 › 12.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
- P H R A C K M A G A Z I N E - Volume 0xa Issue 0x38 05.01.2000 0x0c[0x10] |----------------------------- DISTRIBUTED TOOLS -----------------------------| |-----------------------------------------------------------------------------| |----------------------------- sasha / lifeline ------------------------------| "The COAST approach has been to look at limits and underlying problems and see what we can do to change the paradigm. We don't start with the view that 'well, the system gives us X and we know Y, so what can we find using that?' Instead, we ask questions about the whole process of intrusion and misuse, and try to find new ideas there." - Gene Spafford ----| Distributed Denial of Service Attacks It is perhaps prophetic that the first CERT advisory of the 21st century should concern a distributed Denial of Service attack (see CA-2000-01 [1]). In November 1999, CERT even held a 'Distributed-Systems Intruder Tools Workshop' [2], to discuss "the threat" of distributed DoS (Denial of Service) tools. Briefly: in a distributed DoS attack, daemons are installed on multiple compromised hosts; a client is used to identify a target to the daemons who each then launch a DoS attack (usually using flood-like attacks i.e. UDP, ICMP, SYN). The unified and sustained nature of attacks generated by multiple daemons can often cripple a target network/host. Some good work has been done on analysis of current distributed DoS tools, and we direct the interested reader to the work of David Dittrich [3]. ----| Applications of a Distributed Approach It is somewhat depressing that DoS is very often the first application of any new idea which can be utilized in a security context, and this is especially true of distributed techniques, since the distributed 'philosophy' is applicable to many facets of computer network penetration. Below, we describe two examples of the distributed approach applied to very familiar tasks: port scanning and password sniffing. Source code for an example distributed port scanner implementation is included at the end of the article. ----| Port Scanning In P55-09 - 'Distributed Information Gathering' [4], the advantages in using a distributed network information gathering approach are described, namely: I. Stealth By employing co-operation, time dilation, and randomization techniques we hope to elude NIDS (network-based intrusion detection systems). II. Correlation Information The acquisition of multiple 'points of view' of a target enables a more complete model of the target to be constructed, including multiple route and timing information. III. Pervasive Information Gathering The countermeasures which some N-IDS can employ, such as injecting a 'deny rule' into a firewall (for example, using an OPSEC API [5]), become less effective at stopping ongoing information gathering. ----| Distributed Port Scan Detection To detect a distributed port scan in which multiple hosts are being used to distribute and "share the work" of information gathering, the functionality must exist in a detection system to analyze a recorded event (for example - a SYN packet sent to a port) in context, i.e. using circumstantial information. The difficulty lies in knowing which information it is valuable to keep; you may throw away the one byte which unlocks the puzzle! Resource starvation and state-holding attacks then become applicable, since the resources available to the detection system are unlikely to be infinite. Assuming no pathologically obvious variations of information gathering techniques are used (e.g. SYN+RST), a detection system must almost ignore source IP addresses when performing analysis, since by definition, multiple source hosts can distribute the set of probes to be performed. For example, if you receive a connect to each port from 1 to 1024 over the duration of a week, from multiple hosts, you are likely to have been port scanned; however, the set of ports an individual is interested in determining are open on your machine (or network), is unlikely to be as easy to recognize as 1-1024. There obviously exists an opportunity to perform much more research in the area of programmatically identifying distributed attacks. ----| Password Sniffing In P55-16 - 'Distributed Metastasis' [6], the advantages associated with using a distributed model for password sniffing are described; briefly, the two primary advantages are in removing the need to revisit a compromised host to collect sniffer logs, and to increase the speed with which the sniffed information is made available so that the penetration can be immediately continued/deepened. ----| The Implementation An implementation of a distributed port scanner is provided for illustrative purposes. DPS (Distributed Port Scanner) consists of a client working in conjunction with agents located on multiple remote hosts. The communication between the client and the agents is provided via some basic commands encapsulated in ICMP_ECHO_REQUEST/REPLY packets, thus providing a fairly covert channel. Strong data payload encryption is planned for a later release. The port scan request is done by the client; the agents perform the port scan itself, and then report the results back to the client. Imagine that we have 4 agents, located on 4 different hosts: 'hardbitten', 'doubt', 'ketamine' and 'neurosponge'. Our goal is to obtain the status of ports 21, 22, 23, 80 and 143 on 10.0.2.10. The client is located on the host 'implode' and agents.txt is a file containing a list of agents. [root@implode dps]# ./client 10.0.2.10 21-23,80,143 agents.txt eth0 packet sent. 1 of 1 Using device eth0 21 iz open 23 iz open 80 iz open [root@implode dps]# The client distributes the "workload" (the set of ports) between the different agents; each agent scans the target host for a subset of the total ports, then reports the results back to the client. This isn't by any means a finished product - it is proof-of-concept. Planned features for future releases include: distributed password sniffing, distributed remote OS detection, strong crypto, multi-threaded agents, and other ideas that people have been throwing seen this project was begun. Stay tuned. Take your time to browse through the source code. Both Libnet and Libpcap are needed by both the agent and the client. ----| Conclusions It is interesting to see historically the wave-like effect that exists between centralized and distributed computing: mainframe, client/server, thin-client (such as Windows Terminal Server and the JavaStation Network Computer), etc. This same effect has not yet been fully witnessed in computer security (the Morris Worm [7] is an obvious exception). Conversely, the concept of 'remote control' is not new to security; Loki [8], Back Orifice [9], and NetBus [10] all provide client/server style remote control functionality. To conclude, the key to the distributed 'philosophy', is the _combination_ of the above two concepts. ----| References [1] CERT Advisory CA-2000-01 - Denial-of-Service Developments, CERT/CC and FedCIRC, January 3, 2000, http://www.cert.org/advisories/CA-2000-01.html [2] Results of the Distributed-Systems Intruder Tools Workshop, Pittsburgh, Pennsylvania USA, November 2-4, 1999, Published at the CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 15213, December 7, 1999, http://www.cert.org/reports/dsit_workshop.pdf [3] The Dos Project's "trinoo" distributed denial of service attack tool, The "Tribal Flood Network" distributed denial of service attack tool, The "stacheldraht" distributed denial of service attack tool, David Dittrich, University of Washington, December 31, 1999, http://www.washington.edu/People/dad/ [4] Distributed Information Gathering, hybrid, Phrack Magazine, Vol. 9, Issue 55, Article 9 of 16, 09.09.99, http://www.phrack.com/search.phtml?view&article=p55-9 [5] Check Point Open Platform for Security (OPSEC), Check Point Software Technologies Ltd, 1999, http://www.opsec.com [6] Distributed Metastasis: A Computer Network Penetration Methodology, Andrew J. Stewart, Phrack Magazine Vol. 9, Issue 55, Article 16 of 19, 09.09.99, http://www.phrack.com/search.phtml?view&article=p55-16 [7] The Internet Worm Program: An Analysis, Eugene H. Spafford, Purdue University, 1998, http://www.cerias.purdue.edu/coast/archive/data/categ29.html [8] Project Loki, daemon9 & alhambra, Phrack Magazine Vol. 7, Issue 49, Article 06 of 19, August 1996, http://www.phrack.com/search.phtml?view&article=p49-6 [9] Back Orifice 2000, Cult of the Dead Cow, http://www.b02k.com [10] http://www.netbus.org ----| Source Code <++> p56/dps/Makefile !5f996922 CC = gcc CFLAGS = -O3 -DDEBUG LIBS = -lnet -lpcap CLI_OBJECTS = source/clt_main.o source/clt_packet_injection.o source/clt_wait.o AGT_OBJECTS = source/agt_main.o source/agt_pscan.o DPS_OBJECTS = source/dps_helper.o source/dps_pcap.o .c.o: $(CC) $(CFLAGS) $(DEFINES) -c {body}lt; -o $@ common: $(DPS_OBJECTS) client: $(CLI_OBJECTS) $(DPS_OBJECTS) $(CC) $(DPS_OBJECTS) $(CLI_OBJECTS) $(LIBS) -o client strip client agent: $(AGT_OBJECTS) $(DPS_OBJECTS) $(CC) $(DPS_OBJECTS) $(AGT_OBJECTS) $(LIBS) -o agent strip agent clean: rm -f source/*.o core <--> <++> p56/dps/README !6dab2725 dps 1.0 dps is a distributed portscanning tool. It consists in a client working in conjuction with agents located in several remote hosts thus providing 'many-to-one' and 'many-to-many' portscanning. The communication between the client and the agents is provided via some basic commands encapsulated in ICMP ECHO_REQUEST/ECHO_REPLY packets this way providing a fairly covert channel. Data payload encryptation is also available using the most popular symmetric-key algorithms (except for DES due to the pathetic export restrictions is U.S.). (*not* yet implemented) The portscan request is done by the client, being the portscan itself done by the agents which then report back to the client the results obtained. Compilation notes: 1. make client 2. make agent and that'z it! <--> <++> p56/dps/agents.txt !96b84d09 foo bar neuro.somewieirddomain.org 10.0.2.10 <--> <++> p56/dps/localtest.txt !ea0d9aae 127.0.0.1 <--> <++> p56/dps/include/config.h !5d33c259 #define MAGIC "lifeline" /* magic string, only alphanumerical characters please. Btw, you will become an idiot if you don't change this. */ #define BLOWFISH_KEY "lifelinerox" #define MAX_HOST_SIZE 64 /* maximum hostname size allowed */ #define MAX_ICMP_PAYLOAD_SIZE 56 /* ok, this one is tricky. A maximum payload of 56 bytes is recommended is you want the packets to seem real. But 56 may not be enough to store all the port information, in this case the program will split up in various ICMP packets, however in the case that the port information may be really large it will cause a tremendous ICMP flood in the network, so deal with it and use the option that fits you best. */ <--> <++> p56/dps/include/dps_pcap.h !3dca6d72 #ifndef DPS_PCAP #define DPS_PCAP #ifdef SOLARIS #include "./solaris.h" #endif #include <pcap.h> #define LOOPBACK_OFFSET 4 #define ETHERNET_OFFSET 14 #define SLIP_PPP_OFFSET 24 char errbuf[PCAP_ERRBUF_SIZE]; void dps_pcap_err( char *, char * ); pcap_t * dps_pcap_prep( int, char *, char * ); int dps_pcap_datalink( pcap_t * ); void * dps_pcap_next( pcap_t * ); #endif /* DPS_PCAP */ /* EOF */ <--> <++> p56/dps/include/prototypes.h !f50ce3e5 #include <linux/types.h> extern char *itoa(int); struct agentnfo { u_long address; /* agent's IP address */ u_long victim; /* victim's IP address */ char *ports; /* ports to scan separated by comas(",") and minus("-"); */ struct agentnfo *next; /* next agent in list, this is a linked list */ }; struct scannfo { u_long victim; u_long cli_addr; char *ports; }; struct sp_header { char magic[8]; __u8 plus:1, res2:1, res3:1, res4:1, res5:1, res6:1, res7:1, res8:1; }; extern short int inject(struct agentnfo *, char *); <--> <++> p56/dps/include/solaris.h !acb0956b #ifndef SOLARIS_H #define SOLARIS_H #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <ctype.h> #include <strings.h> #include <arpa/inet.h> #include <sys/types.h> #include <sys/stat.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip_var.h> #include <netinet/ip.h> #include <netinet/tcp.h> #endif /* SOLARIS_H */ /* EOF */ <--> <++> p56/dps/source/agt_main.c !aaf7e1ae #include <stdio.h> #include <stdlib.h> #include <pcap.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <netinet/ip_icmp.h> #include <asm/types.h> #include "../include/config.h" #include "../include/prototypes.h" #define SNAPLEN 64 #define ETHHDR 14 void pkt_analyser_func(char *, char *); /* Global variables */ unsigned int dlink_s; const u_char *snapend; int main(int argc, char **argv) { pkt_analyser_func(argv[1], MAGIC); } void pkt_analyser_func(char *dev, char *magic) { pcap_t *pd; char *data; struct pcap_pkthdr h; struct iphdr *iph; char *payload; int x; struct sp_header *head; struct scannfo *scan; if(!dev) { if(!(dev = pcap_lookupdev(NULL))) { perror("pcap_lookupdev"); exit(1); } } printf("Using device %s\n", dev); pd = pcap_open_live(dev, SNAPLEN, 0, 10, NULL); switch(pcap_datalink(pd)) { case DLT_EN10MB: case DLT_IEEE802: dlink_s = ETHHDR; break; case DLT_NULL: dlink_s = 4; break; default: perror("unknown datalink header"); exit(0); break; } for(;;) { data = pcap_next(pd, &h); iph = (struct iphdr *)(data + dlink_s); if(iph->protocol == IPPROTO_ICMP) { struct icmphdr *icmph = (struct icmphdr *)(data + dlink_s + iph->ihl*4); if(icmph->type == 8 && icmph->code == 0) { payload = malloc(MAX_ICMP_PAYLOAD_SIZE); memcpy(payload, data + dlink_s + iph->ihl*4 + 8, MAX_ICMP_PAYLOAD_SIZE); /* for(x = 0; x <= MAX_ICMP_PAYLOAD_SIZE; x++) printf("%c", *(payload+x)); printf("\n");