Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Curt Wilson (netw3NETW3.COM)
Date: Wed Apr 04 2001 - 01:34:05 CDT
From the excellent paper "Cautionary Tales: Stealth Coordinated Attack HOWTO"
by Dragos Ruiu found at http://www.dursec.com/articles/stealthhowto.html:
>One of the more devious penetration methods we observed was a system that
trickled data in and out in the normally unused padding at the end of user
data packets. On normal sniffers and detectors, the packets looked
completely innocent, as even those tools did not display the padding
"garbage" used for the hack. This padding was used to install malicious
software by trickling the attack executable into the target a little bit at
a time, a few bytes with every packet.
>They then penetrated one of our systems (a sniffer of all things) and
installed a key-stroke logger that encoded the keystrokes typed at the
console into the address field of Address Resolution Protocol (ARP) lookup
messages, which were happily passed through the firewall and relayed to the
attacker at the nearby system outside the firewall on the same subnet that
received the ARP encoded keystrokes.
I'm looking for more details on tools such as these; I realize someone
could custom write
apps to handle these function, but are there pre-existing tools available?
I don't personally
have the skills to write tools such as these at this point in time, but
would enjoy seeing
any that anyone may have to share. The closest I've seen with a name that I
is the loki toolset, which works with ICMP. Sounds like the basic loki
into other protocols. I like the use ARP for this function, as this is
certainly a more
interesting attack than the garden variety, dime-a-dozen exploits we all
see in our logs.
Thanks for any information.
| Curt R. Wilson * Netw3 Consulting * www.netw3.com |
| Internet Security, Networking, PC tech, WWW hosting |
| Netw3 Security Reading Room : www.netw3.com/documents.html |
| Serving Southern Illinois locally and the world virtually |
| netw3netw3.com 618-303-NET3 |