OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: .MetsyS. (stfXTRA.CO.NZ)
Date: Sun Apr 08 2001 - 20:05:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A very interesting post...

    I have been looking at some ICMP backdoor ideas (very effective!!!)

    I am trying to hunt down the loki toolset mentioned in your message but
    cannot find it anywhere, do you know where I can nab this from ?

    I have seen a nice lil icmp client program around with source, if combined
    with basic crypto would make backdoors like this very difficult to detect,
    (if not already done so) perhaps NIDS should watch what ICMP does and alert
    when the traffic falls outside the data in a standard ping... OTOH turning
    off ICMP could do the trick, downside being network testing can be a pain.

    Hiding data in the padding is exessivly sneaky <bow>.

    Anyway,

    Have fun,
    Harm none.

    .MetsyS.

    At 01:34 AM 4/4/01 -0500, you wrote:
    >From the excellent paper "Cautionary Tales: Stealth Coordinated Attack HOWTO"
    >by Dragos Ruiu found at http://www.dursec.com/articles/stealthhowto.html:
    >
    >>One of the more devious penetration methods we observed was a system that
    >trickled data in and out in the normally unused padding at the end of user
    >data packets. On normal sniffers and detectors, the packets looked
    >completely innocent, as even those tools did not display the padding
    >"garbage" used for the hack. This padding was used to install malicious
    >software by trickling the attack executable into the target a little bit at
    >a time, a few bytes with every packet.
    >
    >>They then penetrated one of our systems (a sniffer of all things) and
    >installed a key-stroke logger that encoded the keystrokes typed at the
    >console into the address field of Address Resolution Protocol (ARP) lookup
    >messages, which were happily passed through the firewall and relayed to the
    >attacker at the nearby system outside the firewall on the same subnet that
    >received the ARP encoded keystrokes.
    >
    >I'm looking for more details on tools such as these; I realize someone
    >could custom write
    >apps to handle these function, but are there pre-existing tools available?
    >I don't personally
    >have the skills to write tools such as these at this point in time, but
    >would enjoy seeing
    >any that anyone may have to share. The closest I've seen with a name that I
    >can recall
    >is the loki toolset, which works with ICMP. Sounds like the basic loki
    >princple extended
    >into other protocols. I like the use ARP for this function, as this is
    >certainly a more
    >interesting attack than the garden variety, dime-a-dozen exploits we all
    >see in our logs.
    >
    >Thanks for any information.