Thursday, January 12, 2006

ICMP tunneling Ping traffic is ubiquitous to almost every TCP/IP based network and subnetwork. It has a standard packet format recognized by every IP-speakingrouter and is used universally for network management, testing, and measurement. As such, many firewalls and networks consider ping traffic to be benign and will allow it to pass through, unmolested. This project explores why that practice can be insecure. Ignoring the obvious threat of the done-to-death denial of service attack, use of ping traffic can open up covert channels through the networks in which it is allowed. Loki, Norse God of deceit and trickery, the 'Lord of Misrule' was well known for his subversive behavior. Inversion and reversal of all sorts was typical for him. Due to it's clandestine nature, we chose to name this project after him. The Loki Project consists of a whitepaper covering this covert channelin detail. The sourcecode is not for distribution at this time. --[ Overview ]-- This whitepaper is intended as a complete description of the covertchannel that exists in networks that allow ping traffic (hereon referred to in the more general sense of ICMP_ECHO traffic --see below) to pass. It is organized into sections: Section I. ICMP Background Info and the Ping Program Section II. Basic Firewall Theory and Covert Channels Section III. The Loki Premise Section IV. Discussion, Detection, and Prevention Section V. References(Note that readers unfamiliar with the TCP/IP protocol suite may wish to firstread Section I. ICMP Background Info and the Ping Program The Internet Control Message Protocol is an adjunct to the IP layer.It is a connectionless protocol used to convey error messages and other information to unicast addresses. ICMP packets are encapsulated inside of IPdatagrams. The first 4-bytes of the header are same for every ICMP message, with the remainder of the header differing for different ICMP message types.There are 15 different types of ICMP messages. The ICMP types we are concerned with are type 0x0 and type 0x8. ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 0x8 indicates an ICMP_ECHO (the query). The normal course of action is for a type 0x8 to elicit a type 0x0 response from a listening server. (Normally, this server is actually the OS kernel of the target host. Most ICMP traffic is, by default, handled by the kernel). This is what the ping program does. Ping sends one or more ICMP_ECHO packets to a host. The purposemay just be to determine if a host is in fact alive (reachable). ICMP_ECHO packets also have the option to include a data section. This data section is used when the record route option is specified, or, the more common case, (usually the default) to store timing information to determine round-trip times. (See the ping(8) man page for more information on these topics). An excerpt from the ping man page: "...An IP header without options is 20 bytes. An ICMP ECHO_REQUEST packet contains an additional 8 bytes worth of ICMP header followed by an arbitrary-amount of data. When a packetsize is given, this indicated the size of this extra piece of data (the default is 56). Thus the amount of data received inside of an IP packet of type ICMP ECHO_REPLY will always be 8 bytes more than the requested data space (the ICMP header)..." Although the payload is often timing information, there is no check byany device as to the content of the data. So, as it turns out, this amount of data can also be arbitrary in content as well. Therein lies the covert channel. Section II. Basic Firewall Theory and Covert Channels The basic tenet of firewall theory is simple: To shield one networkfrom another. This can be clarified further into 3 provisional rules:1. All traffic passing between the two networks must pass through the firewall.2. Only traffic authorized by the firewall may pass through (as dictated by the security policy of the site it protects).3. The firewall itself is immune to compromise. A covert channel is a vessel in which information can pass, but thisvessel is not ordinarily used for information exchange. Therefore, as a matter of consequence, covert channels are impossible to detect and deter using a system's normal (read: unmodified) security policy. In theory, almost any process or bit of data can be a covert channel. In practice, it is usually quite difficult to elicit meaningful data from most covert channels in a timely fashion. In the case of Loki, however, it is quite simple to exploit. A firewall, in it's most basic sense, seeks to preserve the security policy of the site it protects. It does so by enforcing the 3 rules above.Covert channels, however, by very definition, are not subject to a site's normal security policy. Section III. The Loki Premise The concept of the Loki Project is simple: arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets. Loki exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHOtraffic. They simply pass them, drop them, or return them. The trojan packetsthemselves are masqueraded as common ICMP_ECHO traffic. We can encapsulate (tunnel) any information we want. From here on out, Loki traffic will refer to ICMP_ECHO traffic that tunnels information. (Astute readers will note thatLoki is simply a form of steganography). Loki is not a compromise tool. It has many uses, none of which are breaking into a machine. It can be used as a backdoor into a system by providing a covert method of getting commands executed on a target machine.It can be used as a way of clandestinely leeching information off of a machine. It can be used as a covert method of user-machine or user-user communication. In essence the channel is simply a way to secretly shuffledata (confidentiality and authenticity can be added by way of cryptography). Loki is touted as a firewall subversion technique, but in reality itis simple a vessel to covertly move data. *Through* exactly what we move thisdata is not so much an issue, as long as it passes ICMP_ECHO traffic. It doesnot matter: routers, firewalls, packet-filters, dual-homed hosts, etc... allcan serve as conduits for Loki. Section IV. Discussion, Detection and Prevention If ICMP_ECHO traffic is allowed, then this channel exists. If this channel exists, then it is unbeatable for a backdoor (once the system is compromised). Even with extensive firewalling and packet-filtering mechanisms in place, this channel continues to exist (provided, of course,they do not deny the passing of ICMP_ECHO traffic). With a proper implementation, the channel can go completely undetected for the duration ofits existence. Detection can be difficult. If you know what to look for, you mayfind that the channel is being used on your system. However, knowing whento look, where to look, and the mere fact that you *should* be looking allhave to be in place. A surplus of ICMP_ECHOREPLY packets with a garbledpayload can be ready indication the channel is in use. The standalone Loki server program can also be a dead give-away. However, if the attacker can keep traffic on the channel down to a minimum, and was to hide the Loki server *inside* the kernel, detection suddenly becomes much more difficult. Disruption of this channel is simply preventative. Disallow ICMP_ECHOtraffic entirely. ICMP_ECHO traffic, when weighed against the security liabilities it imposes, is simply not *that* necessary. Restricting ICMP_ECHOtraffic to be accepted from trusted hosts only is ludicrous with a connectionless protocol such as ICMP. Forged traffic can still reach the target host. The LOKI packet with a forged source IP address will arrive at the target (and will elicit a legitimate ICMP_ECHOREPLY, which will travel to the spoofed host, and will be subsequently dropped silently) and can contain the 4-byte IP address of the desired target of the Loki response packets, as well as 51-bytes of malevolent data... While the possibility exists for a smart packet filter to check the payload field and ensure that it *only* contains legal information, such a filter for ICMP is not in wide usage, and could still be open to fooling. The only sure way to destroy thischannel is to deny ALL ICMP_ECHO traffic into your network.NOTE: This channel exists in many other protocols. Loki Simply covers ICMP, but in theory (and practice) any protocol is vulnerable to covert data tunneling. All that is required is the ingenuity... Section V. References Books: TCP Illustrated vols. I, II, III RFCs: rfc 792 Source: Loki v1.0 Ppl: We did not pioneer this concept To our knowledge, it was discovered independently of our efforts, prior to our research. This party wishes to remain aloof.

Another one got caught today, it's all over the papers. "TeenagerArrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain,ever take a look behind the eyes of the hacker? Did you ever wonder whatmade him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most ofthe other kids, this crap they teach us bores me... Damn underachiever. They're all alike. I'm in junior high or high school. I've listened to teachers explainfor the fifteenth time how to reduce a fraction. I understand it. "No, Ms.Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this iscool. It does what I want it to. If it makes a mistake, it's because Iscrewed it up. Not because it doesn't like me... Or feels threatened by me... Or thinks I'm a smart ass... Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing throughthe phone line like heroin through an addict's veins, an electronic pulse issent out, a refuge from the day-to-day incompetencies is sought... a board isfound. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked tothem, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food atschool when we hungered for steak... the bits of meat that you did let slipthrough were pre-chewed and tasteless. We've been dominated by sadists, orignored by the apathetic. The few that had something to teach found us will-ing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, thebeauty of the baud. We make use of a service already existing without payingfor what could be dirt-cheap if it wasn't run by profiteering gluttons, andyou call us criminals. We explore... and you call us criminals. We seekafter knowledge... and you call us criminals. We exist without skin color,without nationality, without religious bias... and you call us criminals.You build atomic bombs, you wage wars, you murder, cheat, and lie to usand try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime isthat of judging people by what they say and think, not what they look like.My crime is that of outsmarting you, something that you will never forgive mefor. I am a hacker, and this is my manifesto. You may stop this individual,but you can't stop us all... after all, we're
Be the master of the lock Have you ever tried to impress your friends by picking one of those Mastercombination locks and failed? Well then read on. The Master lock company hasmade this kind of lock with a protection scheme. If you pull the handle of ithard, the knob won't turn. That was their biggest mistake...... Ok, now on toit. 1st number. Get out any of the Master locks so you know what's going on.1: The handle part (the part that springs open when you get the combination),pull on it, but not enough so that the knob won't move. 2: While pulling on itturn the knob to the left until it won't move any more. Then add 5 to thisnumber. Congradulations, you now have the 1st number. 2nd number. (a lot tougher) Ok, spin the dial around a couple of times,then go to the 1st number you got, then turn it to the right, bypassing the 1stnumber once. WHEN you have bypassed. Start pulling the handle and turning it.It will eventually fall into the groove and lock. While in the groove pull onit and turn the knob. If it is loose go to the next groove; if it's stiff yougot the second number. 3rd number: After getting the 2nd, spin the dial, then enter the 2 numbers,then after the 2nd, go to the right and at all the numbers pull on it. The lockwill eventually open if you did it right. If can't do it the first time, bepatient, it takes time.

Tuesday, January 03, 2006

Vondafin submits "The 13 year old boy seems to have given the school district a lesson in the need to back up as files were deleted from the schools computers. In return the school suspended the boy for ten days. The question at hand is what was the hack, was it a hack or do they call deleting files now adays hacking? This article says the computer system had a black hole in security which would lead one to believe it was a hack and not just being deleted. The files deleted were the schools computerized student reading program, aka reader rabbit?"

You just have to love a young hacker .......wait and see what he does
when hes 30 !!!!!!!!
cyphex submits "The fugitive Massachusetts businessman charged in the first criminal case to arise from an alleged DDoS-for-hire scheme has appeared on an FBI most wanted list, while the five men accused of carrying out his will are headed for federal court.Jay Echouafni, 37, is a fugitive from a five-count federal indictment in Los Angeles charging him with aiding and abetting computer intrusion and with conspiracy. As CEO of the online satellite TV retailer Orbit Communication Corp, Echouafni allegedly paid a business associate to recruit members of the computer underground to cripple three online stores, resulting in long periods of downtime and an estimated $2m in losses to the businesses and their service providers.Echouafni was arrested in Massachusetts last March and released on $750,000 bail secured by his house. According to the government, he disappeared over the summer, while his case was in a preliminary stage, shortly after his attorney won a motion to permit Echouafni's wife and children to "travel freely within and outside of the United States of America," and to have their passports returned. The FBI said in August that they suspect Echouafni has fled to his home country of Morocco.This week the Washington Post spotted the accused DDoS mastermind on the FBI's Crime Alert website - an extension of the bureau's famous Ten Most Wanted list - where he's listed as Saad Echouafni."The FBI had a wanted poster for him shortly after the indictment was returned, but I think the addition to the most wanted came recently," says Arif Alikhan, Echouafni's prosecutor. "It's not the top ten, those are usually reserved for violent felons or terrorists."Echouafni's alleged co-conspirators are scheduled to appear in a federal court in southern California later this month.Paul Ashley, 30, the former operator of the CIT/Foonet hosting company, is named as Echouafni's go-between in arranging two of the attacks. Joshua Schichtel, Jonathan Hall, Lee Walker, and Richard Roby, known online as "Emp," "Rain," "sorCe," and "Krashed" respectively, are accused of actually carrying out the attacks.Echouafni's electronic wanted poster puts additional thrust behind an investigation that was already one of a handful of cases cited last August by U.S. Attorney General John Ashcroft in announcing what the Justice Department called "Operation Web Snare" - a tallying of over 150 recent and ongoing federal criminal cases relating to computers or identity theft. Ashcroft said the case illustrates "the increased use of the Internet to damage rival businesses and communicate threats for commercial advantage
Hi,I discovered a NEW security hole / exploit in IE6 with SP2 and all the latest security patches. Overview of the exploit: * Bug for all Microsoft Internet Explorer users* Can be abused by hackers to run harmful JavaScript code and can be abused to mislead existing protection against harmful JavaScript code, like software from Norton, McAfee,�* Can be abused to mislead the search engines Google, MSN, Yahoo, AltaVista,�* Unpleasant for JavaScript programmersAll the information about the NEW horrible bug (info, exploit,�) , see the page The bug is reported to Microsoft.I publish this bug/exploit because a know security flaw is less dangerous than an unknown security hole that can be used by real hackers, swindlers or racketeers.

Hack the Planet