Common Network Attacks

David J. Marchette
[email protected]

< > - +
Common Network Attacks – p.1/96
 Outline

Some Common Attacks

SHADOW
EMERALD
ADAM
Utilities

< > - +
Common Network Attacks – p.2/96
 Terminology

Active. Requires action on the part of the person or system to

gather information.
Passive. Relies on information gathered without any action (e.g.
without sending any packets).
Fingerprinting. Determining the Operating System of a machine
by investigating packets/responses from the machine.

< > - +
Common Network Attacks – p.3/96
 Terminology

Stateful. A system (intrusion detection, firewall, etc) is stateful if it

retains information of the state of TCP sessions.

< > - +
Common Network Attacks – p.4/96
 References

Northcutt, Network Intrusion Detection: An Analyst’s Handbook.

www.nswc.navy.mil/ISSEC/CID
www.sans.org
www.cert.org

< > - +
Common Network Attacks – p.5/96
 Outline of an Attack

Find out what machines are on the net: IP scan.

Find out what OS/version they are running: Fingerprinting.
Find out what services they are running: Portscan.
Attack the vulnerable.

< > - +
Common Network Attacks – p.6/96
 Comments on Attack Outline

Not all attacks follow all these steps.

Some attacks skip all of them (denial of service).
Attacks that follow the pattern are usually trivial to detect.
Attacks that follow the pattern sometimes still succeed! Even
when the pattern has been detected!

< > - +
Common Network Attacks – p.7/96
 Attack Types

Denial of Service (DOS).

Probes and Network Mapping.
Fingerprinting.
TCP Hijacking.
Other ways to gain access.

< > - +
Common Network Attacks – p.8/96
 DOS: Land Attack

A single packet attack.

A packet is sent with both the source and destination IP address
set to the target machine.
Locks up the machine (only works on older systems).
Note: This, like most attacks, requires the attacker to carefully
craft packets.
This attack only worked because of a bug in the IP stack of some
operating systems.

< > - +
Common Network Attacks – p.9/96
 DOS: Ping of Death

Another single packet attack.

A ping (ICMP echo request) is sent to the target machine with an
illegally long payload (greater than 64K).
Locks up the machine (only works on older systems).
Note: some versions of ping allowed one to do this. So novices
could use this attack without any coding skills.

< > - +
Common Network Attacks – p.10/96
 DOS: Teardrop

Another single packet attack.

A UDP packet is sent fragmented, with the fragments overlapping.
Locks up the machine (only works on older systems).

< > - +
Common Network Attacks – p.11/96
 More Attacks with Fragments

Suppose a TCP packet has been fragmented, and the attacker

knows the IP ID.
The attacker can send new fragments with the same IP ID,
overwriting the legitimate data.
The TCP header is left alone, so it is a legitimate packet as far as
the receiving computer knows.
The attacker must take care that the checksum is correct.

< > - +
Common Network Attacks – p.12/96
 DOS: UDP Storm

Another single packet attack, in principle.

Was the “attack-du-jour” for a while in 1999.
A UDP packet is sent with:
Source IP victim1.
Destination IP victim2.
Source port 7 (echo).
Destination port 19 (chargen).
Causes the two victim machines to “attack” each other.

< > - +
Common Network Attacks – p.13/96
 Notes on “Old Attacks”

These attacks “only work on older systems”.

This does not mean they will never work again.
These take advantage of errors (bugs) in the programming of the
operating systems. This illustrates the basic idea of many attacks:
find an error and exploit it.

< > - +
Common Network Attacks – p.14/96
 Notes on “Old Attacks”

Note that code reuse and poor programming habits can make
some old attacks viable again.
How might one have designed a system that would detect the
above attacks before they were known?

< > - +
Common Network Attacks – p.15/96
 DOS: SYN Flood

Send a lot of SYN packets to the target.

These start half-open connections.
If enough connections are started before they start to time out, the
connection table can fill up.
The machine crashes, or cannot service legitimate connections.

< > - +
Common Network Attacks – p.16/96
 DOS: SYN Flood

Note that the packets needn’t have the source address of the
attacker. In fact, they should have an unreachable source to
ensure that the SYN/ACKs are never answered.
In actual implementations, the attack usually does not use
unreachable sources, but rather selects the sources at random (or
arbitrarily).

< > - +
Common Network Attacks – p.17/96
 DOS: Process Table

Similar to the SYN flood. Initiate a lot of TCP connections.

Requires an application that will accept the connections.
Each connection forks a process. If enough connections are
forked the process table fills up.

< > - +
Common Network Attacks – p.18/96
 DOS: Process Table Notes

Note that the attacker must appear in the source IP address, since
it must answer the SYN/ACKs. But if it’s clever, it need not fork
any processes.
This is a good attack to implement as a distributed denial of
service. By using many compromised computers, the attacker
hides his identity while multiplying the effectiveness of the attack.

< > - +
Common Network Attacks – p.19/96
 DOS: Targa3

Send a lot of malformed packets:

Invalid fragmentation, protocol, packet size, or IP header
values;
Invalid options;
Invalid TCP segments;
Invalid routing flags.
These either crash the system, or use up resources while dealing
with the strange packets.

< > - +
Common Network Attacks – p.20/96
 DOS: Targa3 Notes

The attacker need not appear in the source IP, since it doesn’t
need to handle any responses.
There need be no particular pattern to the malformed packets.
However, patterns in these might provide a way to fingerprint the
attack software.

< > - +
Common Network Attacks – p.21/96
 DOS: Smurf

Send a lot of ping packets (echo requests) to an intermediary

network with the victim as source IP.
These all generate echo replies, which all get sent to the victim.
Using broadcast (255) greatly magnifies the effect (assuming the
intermediary network doesn’t ignore broadcasts).

< > - +
Common Network Attacks – p.22/96
 DOS: Smurf Picture

Intermediary Network
172.16.x.x

Attacker Target

ICMP echo requests

From: Target (spoofed)
To: 172.16.255.255

< > - +
Common Network Attacks – p.23/96
 DOS: Smurf Picture

Intermediary Network
172.16.x.x

Attacker Target

ICMP echo replies

From 1000s of
machines

< > - +
Common Network Attacks – p.23/96
 DOS: Smurf Picture

Intermediary Network
172.16.x.x

Attacker Target

Target goes down

under the flood.
Note: Attacker is invisible
to the target.
< > - +
Common Network Attacks – p.23/96
 DOS: Syslogd

There are innumerable attacks that utilize a bug in an application.

Old versions of the syslogd daemon on Solaris would crash if sent
a packet from a source with no DNS entry.
Who would let a syslog packet in from outside the firewall
anyway? This attack is from the good old days, before firewalls
were common.

< > - +
Common Network Attacks – p.24/96
 DOS Notes

There are two generic types of denial of service attacks:

Ones in which the attacker takes an active (and detectable) part.
Spoofing attacks, where the attacker does not show up on the
packets sent to the victim.
How can one determine who the attacker is?

How does one stop such attacks?

< > - +
Common Network Attacks – p.25/96
 Network Mapping

How do you find a victim to attack?

Some are well known: ebay, amazon, Microsoft, etc.
Sometimes the attacker is after a specific individual/organization.
Even if you know you want to attack Widgets-R-Us, how do you
decide which machines are vulnerable?

One answer is to scan/map the network.

< > - +
Common Network Attacks – p.26/96
 Network Mapping Light

ping 10.10.255.255.
If this works, every machine on 10.10.xxx.xxx will respond.
It probably won’t work.
Many organizations don’t allow broadcast packets through their
firewalls.
If it did work, it would probably flood your machine, and produce a
denial of service against yourself!

< > - +
Common Network Attacks – p.27/96
 Network Mapping the Hard Way

ping 10.10.1.1.
ping 10.10.1.2.
ping 10.10.1.3. · · ·
Can be automated, and will work, assuming it isn’t blocked by a
firewall.
It is extremely easy to detect.
It can take a while to go through all the possible addresses.
To this day people (script kiddies) will do this.

< > - +
Common Network Attacks – p.28/96
 Stealthy Network Mapping

There are several ways to make the mapping harder to detect:

1. Use packets that people expect to see, and will ignore (echo
requests used to work here).
2. Use packets that are not normally logged. (example: TCP
SYN/ACK)
3. Randomizing the IPs scanned.
4. Spreading out the timing (low and slow scans).
5. Using multiple source IPs.

< > - +
Common Network Attacks – p.29/96
 Stealthy Network Mapping

6. Using different packets for the scan (some icmp, some udp, etc.).
7. Only scan a subset of the network.

< > - +
Common Network Attacks – p.30/96
 Inverse Mapping
Uses the Internet error mechanism to the attacker’s advantage.
Example:
Send a TCP packet with the RESET flag set.
If the packet reaches its destination, the packet is dropped.
If the final router cannot deliver the packet, it sends back a
“host unreachable” (ICMP) error message.
The packets that don’t generate a response went to machines that
exist.

< > - +
Common Network Attacks – p.31/96
 Inverse Mapping Example
Attacker sends RESET packets.
V6

V5

A V4

V3

V2

V1
< > - +
Common Network Attacks – p.32/96
 Inverse Mapping Example
Router sends Host Unreachable responses.
V6

V5

A V4

V3

V2

V1
< > - +
Common Network Attacks – p.32/96
 Inverse Mapping Example
Attacker knows the victim’s machines.
V6

V5

A V4

V3

V2

V1
< > - +
Common Network Attacks – p.32/96
 Inverse Mapping Notes

The attacker knows nothing about the machines on the victims

network except which ones are there.
The victim’s machines each receive a single RESET packet.
Intrusion detection systems often ignore RESET packets.
RESET packets happen all the time, and unless one has a stateful
system, one cannot tell if a single RESET packet is normal.
Even stateful firewall may have time-outs that are short relative to
the times observed in real networks, and may flag normal
RESETs (hence may be ignored).

< > - +
Common Network Attacks – p.33/96
 Inverse Mapping Notes

Look for many RESET packets from the same machine to many
machines.
Drop RESET packets without a response if they are to IP
addresses that aren’t populated.

< > - +
Common Network Attacks – p.34/96
 Port Mapping

The attacker is looking for specific services.

There are several variations:
Brute force: scan all 65,536 ports (UDP and TCP).
Be selective: scan for a few services such as ssh, telnet, ftp,
web, etc.
Be very selective: scan for a single service.

< > - +
Common Network Attacks – p.35/96
 Port Mapping

Sometimes this is done by a program, such as a trojan or worm.

Once a machine is found running a given service, that information
is retained for future targeting.
Brute force is easy to detect.
To detect slow scans you need to study how often machines
normally send packets to closed ports.

< > - +
Common Network Attacks – p.36/96
 Stealthy Port Mapping

One way to avoid getting caught at port mapping is to make sure

your IP address does not appear in the packet.
This seems problematic however: how do you find out if the port is
open?
Recal that if the port is open, a SYN/ACK is sent in response to a
SYN.
If it is closed, a RST is sent.
Note also that if an unsolicited SYN/ACK packet is received, a
RST packet is sent, while unsolicited RST packets are ignored.

< > - +
Common Network Attacks – p.37/96
 Patsies (Idle Scan)

Suppose you can find a computer that increments its IP ID

number in a predictable manner. Call this machine Patsy.
You want to determine if another machine, Victim, has a particular
port open, port P.
Start pinging Patsy (ICMP echo requests, for example). Each
reply shows the IP ID incremented.
Send a SYN packet to port P on Victim, with Patsy as the source.
If the port is open, a SYN/ACK is sent to Patsy, Patsy sends a
RST, and you observe a skip in the IP ID in your ping stream.
If the port is open, a RST is sent to Patsy, and there is no skip in
IP IDs.

< > - +
Common Network Attacks – p.38/96
 What to do about Patsies

“The good neighbor” approach: don’t be a patsy:

Make your IP ID unpredictable.
This can be done by adding a (small) random number to the
IP ID instead of incrementing it.
The “don’t be a victim” approach:
Change the TCP stack so that when a SYN is received at a
closed port, you send a RST followed by an ACK.
The ACK packet will generate the RST that increments the IP
ID.
Note: firewalls can’t help, since the whole point is that closed
ports don’t cause an effect.

< > - +
Common Network Attacks – p.39/96
 Downsides

“The good neighbor” approach requires everyone to change,

which can be a problem, especially with entrenched systems.
The “don’t be a victim” approach adds packets, and thus
decreases efficiency.
A combination of the two is what we have, and is probably the
best.

< > - +
Common Network Attacks – p.40/96
 Fingerprinting (Active)

Fingerprinting uses the fact that implementations are free to make

choices about how to react to certain types of packets (e.g.
improperly formed ones).
The idea is to send a series of crafted packets, and see what the
response is.
Based on the responses to the packets, a determination can be
made as to the operating system of the target.

< > - +
Common Network Attacks – p.41/96
 Fingerprinting (Active)

This is used by attackers to determine the best attack to use.

System admins use this to see if machines meet their
accreditation specs.
This assumes the target system hasn’t been modified to simulate
another OS.
It is not perfect, but most active fingerprinting programs are pretty
good.

< > - +
Common Network Attacks – p.42/96
 Fingerprinting (Passive)

Operating systems also make choices when they send packets

out.
For example:
Initial Time-to-live value.
Source port range.
Sequence number generation algorithm.
Options.
DF flag set?
Type of Service
Window Size.

< > - +
Common Network Attacks – p.43/96
 Fingerprinting (Passive)

These can, to some extent, be used to determine the operating

system of a machine passively.
No packets need be sent to the machine, so there is no way to tell
if you have been (passively) fingerprinted.
This is truly a statistical problem.

< > - +
Common Network Attacks – p.44/96
 A Comment about TTL

Note that you never see the TTL value set by the remote machine.
You see the TTL decremented by an unknown number of routers.
So, you observe T − δ where T is the original TTL and δ is a
random positive integer.

< > - +
Common Network Attacks – p.45/96
 A Comment about Source Ports

Different operating systems/applications choose different source

port ranges.
However, for any session, you only see one source port.
Thus, source port range is only useful over a long time.
How do you estimate the source port range?

< > - +
Common Network Attacks – p.46/96
 TCP Hijacking

Made famous by Kevin Mitnick.

Uses a quirk of TCP sessions to allow an attacker to take over a
session between two computers.
Relies on information gathered about the machines by the
attacker.
Relies on sequence number algorithms that are easy to predict.
For example: use the next number in the sequence, or add 1007
to the previous sequence number.

< > - +
Common Network Attacks – p.47/96
 TCP Hijacking Setup

Setup: Machine A and machine B have a trust relationship,

allowing machine B to log into machine A without requiring a
password.
Attacker must first determine the sequence number algorithm
machine A uses.
This can be accomplished by sending a bunch of SYN packets to
A and see what the responding sequence numbers look like. If
these are predictable, then the hijacking has a chance.

< > - +
Common Network Attacks – p.48/96
 TCP Hijacking Details

Attacker SYN floods machine B to make sure it doesn’t respond to

anything from A.
Attacker sends a SYN packet to A spoofed to appear to be from B.
A responds to B with a SYN/ACK.
Attacker then sends an ACK packet with the correct (inferred)
acknowledgment number. A thinks this is part of the session and
proceeds as if it were talking to B.

< > - +
Common Network Attacks – p.49/96
 TCP Hijacking Details

The attacker could in principle carry on this hijacked session as if

it were a real session.
Instead, the attacker sends the commands to put “++” in the
.rhosts file.
This makes the victim trust everyone, and the attacker can now
access the machine remotely.

< > - +
Common Network Attacks – p.50/96
 TCP Hijacking Example

Machine A Machine B

Attacker

Attacker sends SYN packets to A to determine it’s

sequence number generator.
< > - +
Common Network Attacks – p.51/96
 TCP Hijacking Example

Machine A Machine B

Attacker

Attacker SYN floods Machine B.

< > - +
Common Network Attacks – p.51/96
 TCP Hijacking Example

Machine A Machine B

Attacker

Machine B goes down.

< > - +
Common Network Attacks – p.51/96
 TCP Hijacking Example

Machine A Machine B

Attacker

Attacker sends SYN packet to A

spoofed as if from B.
< > - +
Common Network Attacks – p.51/96
 TCP Hijacking Example

Machine A Machine B

Attacker

A sends SYN/ACK to B
which is ignored since B is down.
< > - +
Common Network Attacks – p.51/96
 TCP Hijacking Example

Machine A Machine B

Attacker

Attacker sends ACK packet to A

completing the handshake.
< > - +
Common Network Attacks – p.51/96
 TCP Hijacking Example

Machine A Machine B

Attacker

A thinks it has an open session

with a trusted machine.
< > - +
Common Network Attacks – p.51/96
 TCP Hijacking Example

Machine A Machine B

X
echo “++” > .rhosts

Attacker

Attacker sets A to trust his machine.

< > - +
Common Network Attacks – p.51/96
 Stopping Hijacking

Don’t be trusting.
Use a hard to predict sequence number generator.
Watch for sequence number guessing attempts.
Block all access to attackers at the firewall (if it SYN floods, block
it).
This last is potentially dangerous (what if the SYN flood appears
to come from your ISP?).

< > - +
Common Network Attacks – p.52/96
 Are Sequence Numbers Predictable?

si+1 − si × si+2 − si+1

2e+09
1e+09
0e+00
y[,2]

−1e+09
−2e+09
−3e+09

−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09

y[,1]

< > - +
Common Network Attacks – p.53/96
 Are Sequence Numbers Predictable?

si+1 − si × si+2 − si+1

2e+09
1e+09
0e+00
y[,2]

−1e+09
−2e+09
−3e+09

−4e+09 −2e+09 0e+00 2e+09

y[,1]

< > - +
Common Network Attacks – p.54/96
 Are Sequence Numbers Predictable?

si+1 − si × si+2 − si+1

4e+09
3e+09
2e+09
1e+09
y[,2]

0e+00
−1e+09
−2e+09

−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09

y[,1]

< > - +
Common Network Attacks – p.55/96
 SHADOW

Secondary Heuristic Analysis for Defensive Online Warfare

Guess which came first, the acronym or the name.
Uses a tcpdump sensor outside (and/or inside) a firewall to collect
all the packet headers within one hour.
Sensor files transfered each hour (via SSH) to an analysis station.

< > - +
Common Network Attacks – p.56/96
 SHADOW

Headers filtered with tcpdump filters and perl scripts and sent to a
web page.
Analyst reviews the web page and reports attacks or suspicious
activity.
Includes ability to search past data, do whois lookups, and nmap
machines.

< > - +
Common Network Attacks – p.57/96
 SHADOW
Collects some statistics on traffic.
Newest version allows some reduction:
10.10.10.31 -> 192.78.[1-255].[1-78].22
10.10.10.31 -> 192.78.8.52.[0-65535]
Automates some of the tedium of generating reports.
Relies on the analyst for all decisions.
Not “real time”. Always at least 1 hour after the fact. Does not take
any action. Purely a monitoring system.

< > - +
Common Network Attacks – p.58/96
 Typical SHADOW Installation

Sensor Analysis

Firewall

Internet

Internal Network

< > - +
Common Network Attacks – p.59/96
 SHADOW Advantages
It’s free.
It is easily configurable to one’s network.
It looks at all the traffic (headers) coming in or going out of the
network.
Simple web interface for the analyst.
SANS has many classes that are based around the SHADOW
idea.
Quickly points out misconfigurations on your network.
Supports multiple sensors.

< > - +
Common Network Attacks – p.60/96
 SHADOW Disadvantages

No support. You are on your own.

Not “real time”.
Does not look at content, hence many attacks are not detectable.
However, one can easily add a snort sensor alongside the
tcpdump.
You MUST know your network well in order to use this well (some
would call this an advantage).

< > - +
Common Network Attacks – p.61/96
 SHADOW Disadvantages

Since no processing is done on the sensor, the transfer of the

data can impact the network, unless a subnet is used between the
sensor and the analysis station.

< > - +
Common Network Attacks – p.62/96
 EMERALD

Event Monitoring Enabling Responses to Live Disturbances.

Environment for scalable, distributed ID and network monitoring.
Hierarchical model, highly modular.
Employs anomaly detection engines utilizing probabilistic models
of normal, attack and anomalous behavior.

< > - +
Common Network Attacks – p.63/96
 EMERALD

Three basic levels of processing:

Service Monitors.
Domain Monitors.
Enterprise-wide Monitors.

< > - +
Common Network Attacks – p.64/96
 EMERALD Monitors

Four computational units:

Signature based IDS.
Statistical profiling/anomaly detection.
Resolver, for fusing alerts, responding to attacks, and
communicating to other monitors.
Resource object, for configuration management.

< > - +
Common Network Attacks – p.65/96
 EMERALD Monitors

These tend to be stand-alone and self contained.

May be passive (reading logs, monitoring network) or active
(scanning and probing).

< > - +
Common Network Attacks – p.66/96
 Signature Engine

Analogous to a set of SHADOW filters or snort ruleset.

Utilizes a set of rules defining a signature of a known attack.
Can be configured individually to the situation.

< > - +
Common Network Attacks – p.67/96
 Profiler

Statistical anomaly detector.

Uses NIDES (next-generation intrusion detection expert system)
to statistically profile the network or host.
Allows the detection of new attacks, since they presumably look
“different” than normal traffic.

< > - +
Common Network Attacks – p.68/96
 Resolver

Coordinator between the other monitors and IDS systems.

Correlates results from profiler and signature engine.
Communicates detections to higher levels in the hierarchy.

< > - +
Common Network Attacks – p.69/96
 Resource Object

Contains all the information about data feeds, rule sets, etc.
Essentially the configuration mechanism for the module.

< > - +
Common Network Attacks – p.70/96
 Service Monitors

Lowest level of the hierarchy.

Individual ID systems or sensors.
Host-based IDS or network monitors for small networks.
Communicate to the domain monitors, and to other service
monitors.

< > - +
Common Network Attacks – p.71/96
 Domain Monitors

Correlate the results from the Service Monitors.

Same basic components as the Service Monitors.
Provide an overall picture of the health of the site.
Look for higher level correlations that are not visible at the lower
level.

< > - +
Common Network Attacks – p.72/96
 Enterprise Monitors

Correlate the results from the Domain Monitors.

Same basic components as the Service Monitors.
Provide an overall picture of the health of the entire organization,
across several sites.
Look for network-wide threats like worms, distributed attacks, etc.

< > - +
Common Network Attacks – p.73/96
 ADAM

Audit Data Analysis and Mining, GMU.

Network based anomaly detector.
TCP/IP monitor, looks for DOS, scans.
Data mining: mining association rules.

< > - +
Common Network Attacks – p.74/96
 Association Rules

An association rule is a way of expressing a relationship of the

form “If A then B”, written as A → B.
Network based anomaly detector.
Given a data set X, look for patterns where:
A and B both occur together.
A → B has support s if they occur s% of the time.
A → B has confidence c if c% of the times that A occurs, B
does as well.

< > - +
Common Network Attacks – p.75/96
 Association Rules

This provides a way of encoding patterns.

These association rules are “learned” from the data.

< > - +
Common Network Attacks – p.76/96
 ADAM Processing

Three modules:
Preprocessing engine.
Data Mining (rule set extraction) engine.
Classification Engine.
Involves a training phase and a detection phase.

< > - +
Common Network Attacks – p.77/96
 ADAM Processing

Looks for “static” rules: things that have high support in the whole
data set. Global patterns.
Also looks for “dynamic” rules: uses a sliding window to look for
local patterns.
Uses header fields:
Time.
Source/Destination IP.
Source/Destination port.
TCP flags.

< > - +
Common Network Attacks – p.78/96
 Performance

Emerald and ADAM were first and second in the 1999 DARPA
evaluation (by some measures).
This was a test on simulated data.
Researchers were given a data set with truth (attacks and normal
traffic notated).
Researchers were then given a test set without truth, and had to
detect the attacks.
No system performed perfectly. One could argue that none
performed adequately.

< > - +
Common Network Attacks – p.79/96
 SANS Top 20 List

http://www.sans.org/top20/

< > - +
Common Network Attacks – p.80/96
 An Example Microsoft FAQ

What is the scope of the vulnerability?

This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights. However, attempts to exploit this vulnerability could most likely
result in a denial of service condition.
What causes the vulnerability?
An unchecked buffer in the Print Spooler service.

< > - +
Common Network Attacks – p.81/96
 Continued

What is Print Spooler service?

The Print Spooler service, Spoolsv.exe, is an executable file that is
installed as a service. The spooler is loaded when the operating
system starts, and it continues to run until the operating system is shut
down. The Print Spooler service manages the printing process, which
includes such tasks as retrieving the location of the correct printer
driver, loading that driver, spooling high-level function calls into a print
job, and scheduling print jobs. When the tasks for a particular print job
are complete, the Print Spooler service passes the job to the print
router. For more information about the Print Spooler service, visit the
following Web site.

< > - +
Common Network Attacks – p.82/96
 Continued

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability for remote
code execution could take complete control of the affected system. On
Windows XP Service Pack 2 and Windows Server 2003 this issue
would result in a denial of service condition. On other operating
system versions, attempts to exploit this vulnerability would most likely
result in a denial of service condition. However remote code execution
could be possible.

< > - +
Common Network Attacks – p.83/96
 Continued

Who could exploit the vulnerability?

On Windows 2000 and Windows XP Service Pack 1, any anonymous
user who could deliver a specially crafted message to the affected
system could try to exploit this vulnerability. On Windows XP Service
Pack 2 and Windows Server 2003, this vulnerability is restricted to
authenticated users. An authenticated attacker may also be able to log
on locally to a system and attempt to exploit this vulnerability on all
affected operating system versions.

< > - +
Common Network Attacks – p.84/96
 Continued

How could an attacker exploit the vulnerability?

An attacker could try to remotely exploit the vulnerability by creating a
specially crafted message and sending the message to an affected
system. The message could then cause the affected system to
execute code on operating system versions and configurations that
were vulnerable to remote attack vectors. By default, Windows 2000
and Windows XP Service Pack 1 are vulnerable remotely. A remote
attack vector cannot be created on Windows XP SP2 or on Windows
Server 2003 unless a user who has appropriate permission shares a
printer or tries to connect to a shared printer.
To locally exploit this vulnerability on all operating system versions, an
attacker would first have to log on to the system. An attacker could then
run a specially-crafted application that could exploit the vulnerability.

< > - +
Common Network Attacks – p.85/96
 Continued

What systems are primarily at risk from the vulnerability?

Windows 2000 and Windows XP Service Pack 1 are primarily at risk
from this vulnerability. Windows XP Service Pack 2 and Windows
Server 2003 systems are at a reduced risk because of the additional
mitigating factors that exist on these operating system versions.
However, systems configured as Printer Servers are especially at risk
to this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet.
Firewall best practices and standard default firewall configurations can
help protect against attacks that originate from the Internet. Microsoft
has provided information about how you can help protect your PC. End
users can visit the Protect Your PC Web site. IT professionals can visit
the Security Guidance Center Web site.

< > - +
Common Network Attacks – p.86/96
 Continued

What does the update do?

The update removes the vulnerability by modifying the way that Print

Spooler service validates the length of a message before it passes the

message to the allocated buffer.

< > - +
Common Network Attacks – p.87/96
 Utilities

nmap.
p0f.
snort.

< > - +
Common Network Attacks – p.88/96
 Nmap

A powerful network scanner.

Can:
scan for open ports
perform active fingerprinting
evaluate vulnerabilities
act stealthy in the scans
spoof IP address to make it difficult to determine the scanner
Useful tool for security analysis.
Useful tool for an attacker.

< > - +
Common Network Attacks – p.89/96
 Nmap Example

nmap -sS -v -O localhost

< > - +
Common Network Attacks – p.90/96
 Nmap Example

Adding TCP port 25 (state Open).

Adding TCP port 13 (state Open).
Adding TCP port 1024 (state Open).
Adding TCP port 9 (state Open).
Adding TCP port 111 (state Open).
Adding TCP port 513 (state Open).
Adding TCP port 515 (state Open).
Adding TCP port 80 (state Open).
Adding TCP port 21 (state Open).
Adding TCP port 22 (state Open).

< > - +
Common Network Attacks – p.91/96
 Nmap Example

Adding TCP port 22 (state Open).

Adding TCP port 37 (state Open).
Adding TCP port 514 (state Open).
Adding TCP port 841 (state Open).
Adding TCP port 1 (state Open).
Adding TCP port 23 (state Open).
The SYN scan took 0 seconds to scan 1068 ports.
For OSScan assuming that port 1 is open and port
31200 is closed and neither are firewalled

< > - +
Common Network Attacks – p.92/96
 Nmap Example
Port State Protocol Service
1 open tcp tcpmux
9 open tcp discard
13 open tcp daytime
21 open tcp ftp
22 open tcp ssh
23 open tcp telnet
25 open tcp smtp
37 open tcp time
80 open tcp www
111 open tcp sunrpc
513 open tcp login

< > - +
Common Network Attacks – p.93/96
 Nmap Example

TCP Sequence Prediction: Class=trivial time dependency Difficulty=26

(Easy)
Sequence numbers: 799148C0 799229C0 799339A0 79943580
79952B20 79961440
Remote operating system guess: IRIX 6.4 - 6.5
Nmap run completed - 1 IP address (1 host up) scanned in 1 second

< > - +
Common Network Attacks – p.94/96
 p0f

Passive fingerprinting off of TCP SYN packets.

Uses time-to-live (TTL) (etc) to determine likely operating system.
Has extensive database of operating systems.
Must estimate TTL.

http://lcamtuf.coredump.cx/p0f.shtml

< > - +
Common Network Attacks – p.95/96
 snort

Light weight network intrusion detection system.

Uses tcpdump-like filters, plus content.
Extensible through plug-ins.

http://www.snort.org

< > - +
Common Network Attacks – p.96/96