OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Curt Wilson (netw3NETW3.COM)
Date: Wed Apr 04 2001 - 01:34:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From the excellent paper "Cautionary Tales: Stealth Coordinated Attack HOWTO"
    by Dragos Ruiu found at http://www.dursec.com/articles/stealthhowto.html:

    >One of the more devious penetration methods we observed was a system that
    trickled data in and out in the normally unused padding at the end of user
    data packets. On normal sniffers and detectors, the packets looked
    completely innocent, as even those tools did not display the padding
    "garbage" used for the hack. This padding was used to install malicious
    software by trickling the attack executable into the target a little bit at
    a time, a few bytes with every packet.

    >They then penetrated one of our systems (a sniffer of all things) and
    installed a key-stroke logger that encoded the keystrokes typed at the
    console into the address field of Address Resolution Protocol (ARP) lookup
    messages, which were happily passed through the firewall and relayed to the
    attacker at the nearby system outside the firewall on the same subnet that
    received the ARP encoded keystrokes.

    I'm looking for more details on tools such as these; I realize someone
    could custom write
    apps to handle these function, but are there pre-existing tools available?
    I don't personally
    have the skills to write tools such as these at this point in time, but
    would enjoy seeing
    any that anyone may have to share. The closest I've seen with a name that I
    can recall
    is the loki toolset, which works with ICMP. Sounds like the basic loki
    princple extended
    into other protocols. I like the use ARP for this function, as this is
    certainly a more
    interesting attack than the garden variety, dime-a-dozen exploits we all
    see in our logs.

    Thanks for any information.

    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    | Curt R. Wilson * Netw3 Consulting * www.netw3.com |
    | Internet Security, Networking, PC tech, WWW hosting |
    | Netw3 Security Reading Room : www.netw3.com/documents.html |
    | Serving Southern Illinois locally and the world virtually |
    | netw3netw3.com 618-303-NET3 |
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=