Distributed DOS Attacks

DOS attacks are not new, in fact they have been aroun for a long time. However, there has been a recent wave of Distributed Denial of services attacks, which pose a great threat to security and are on the verge of overtaking Viruses/Trojans to become  the deadliest threat to Internet security.

In a distributed DOS Attack, a group of say, five hackers join and decide to bring a Fortune 500 company's server down. Now, each one of them breaks into a smaller less-protected network and takes control. So, now they have five networks and supposing there are around 20 systems in each network, it gives these hackers, around 100 systems in all to attack from. They now connect to the network, install a Denial of Service tool on the hacked networks and using these hacked systems launch attacks on the Fortune 500 company. This makes the hackers less easy to detect and helps them do what they wanted to do without getting caught. As they have full control over the smaller less-protected networks, they can easily remove all traces before the authorities get there.

Read More

Hack Windows Login Password

To hack the Windows login password, reboot and wait for the message:
:"Starting Windows 9x..."

When you see this on the screen, press F8. The boot menu will come up. Select option 7, to boot into Dos. Then go to the Windows directory by typing C:/cd windows

Then, rename all files with the extension .pwl by typing the following command:

C:/windows>ren*.pwl*.xyz
or, delete them by typing
C:/windows>del*.pwl*.xyz

Now, when the Windows password login pops up, you can write anything in the place where the password has got to be typed. As you have renamed (or deleted---although renaming then would be better as the victim will not know that his PC has been tempered with) the password files, Windows cannot find that file so when you enter a password, Windows just takes it as the original password.


 

Read More

BIOS Passwords

BIOS passwords are the basic settings on your computer, such as how many and what kinds of disk drives ou have, which ones are enabled and which are disabled and which ones are used for booting. These settings are held in a CMOS chip on the mother board. A tiny battery keeps this chip always running so that whenever  you turn your computer off, it still remembers its instructions.

A common method of entering the BIOS is pressing the Del key at boot up. Other common methods are pressing the keys Ctrl + Alt + Esc or only Ctrol + Esc. Most  computers have a BIOS which can be configured to ask for a password as soon as the computer is switched on. If the Ask Password option is enabled, then as soon as the PC  is switched on, a dialog box welcomes you and asks you for the password. You cannot override this and there is no way of disabling this because to enter the BIOS you need to know the BIOS Password.So, what do you do? Disable it by hacking into the BIOS Setup. But there's a catch. To disable the BIOS password, you need to enter the BIOS. But as soon as you enter the BIOS, the BIOS asks for a password. The most common method of overriding this password prompt is by trying out some default BIOS passwords are:

lkwpeter	AMI	cmos
j262	Award	AMI!SW1
AWARD_SW	bios	AMI?SW1
AWARD_PW	BIOS	password
Biostar	setup	hewittrand

(Note: Complete list of BIOS passwords)

'j262' opens most versions of Award BIOS; it works about 80 percent of the time, 'AWARD_SW' and 'AWARD_PW' work on some computers as well, but less often. In some BIOS, shift + s y x z also works.

The Company name and version of the BIOS  is displayed on the screen each time the system boots.

If the default passwords did not work, then get ready for some serious hacking. Try to reset the BIOS to its default settings so that it asks for no password at all. Do the following:

First, you have to open the computer and then look for a round lithium battery, it probably looks like a silver coin. So, remove the battery and after 30 seconds or so put it back. Some computers may also require you to reset the jumper, so look for a 3-pin jumper and reset it. For example, on most machines you will find a three-pins two and three and leave it there for over five seconds, it will reset the CMOS.

When you boot the machine, some BIOS may give an error saying that the BIOS was reset or tampered with, but that is not such a big problem.

CAUTION: Messing with the CMOS chip and the jumper is more                 dangerous than editing system files.
                So, do everything with utmost caution.

Read More

what is password?

Passwords are one of the oldest forms of authentication mechanism being used on systems accross the world. Password prompts, where one is asked to enter the correct username-password pair, are what prevent infiltration and ensure privacy. Every computer criminal aspires to be able to go past the password prompt and gain illegal access to sensitive data for malicious purposes. Even the data on Windows systems is protected through the password protection mechanism.

      As soon as one boots a Windows system, one is greeted by a welcome password prompt, which on most systems can, unfortunately, be bypassed simply by clicking on the Cancel button. Even after the Windows session has begun, it is possible for a user to enforce password protection on specific files, folders or drives. In other words, passwords have also become on e of the most commonly used authentication mechanisms on systems worldwide. It would be safe to say that passwords are the most important security mechanisms ever deployed.
   
     Unfortunately, most people continue to treat passwords as a set of random and useless characters. It is also becoming increasingly easy for computer criminals to break password protection mechanisms using sophisticated tools and algorithms. Moreover, the most common passwords continue to remain a blank or same as the username. Once an attacker finds out the victim's password there are endless number of malicious activities that can be carried out. Hence, it has become very important for Windows users to take basic precautions to improve the overall security of the system .In this section we discuss some of the most common tips and tricks related to passwords and authentication that every Windows user must know.

Warning: It is always a good idea to back up all system files involved to avoid any accidental damage.

Read More

UDP-flood attack

A UDP-flood attack typically exploits the target system's chargen or echo services to create an infinite loop between two or more UDP services. CERT describes UDP-flood attacks as follows:

When a connection is established between two UDP services, each of which produces output, these two services can produce a very high number of packets that can lead to a denial of service on the machine(s)where the services are offered. Anyone with network connectivity can launch an attack; no account access is needed.

For example, by connecting a host's chargen service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessively high number of packets produced. In addition, if two or more hosta are so connected, the intervening network may also become congested and deny service to all hosts whose traffice traverses that network.

Countermeasure : To counteract a UDP-flood attack, it's a good idea to disable the chargen and echo services unless and until you really need them. In addition, try to disable as many other UDP services (which are not really important) as possible.

Read More

Smurf Attacks

A smurf attack is a sort of brute-force DOS attack in which a huge number of ping requests containing spoofed source IP addresses from within the target network is sent to a system (normally the router) within that network. When the router gets a ping, or echo request message, it sends an echo reply message to the spoofed IP address, flooding the network with packets, thereby clogging the network and preventing legitimate users from obtaining network services.

Read More

Detecting a SYN-Flood Attack

After the target system has tried to send a SYN/ACK packet to the client, and while it is waiting to receive an ACK packet, the existing connection is said to be half open, or the host is said to be in the SYN_RECEIVED state. If your system is in this state, it may well be experiencing a SYN-flood attack. To determine whether connections on your system are half open, type the netstat command; the parameters passed and the results displayed will vary from system to system. Here's an example:

C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant *:* ESTABLISHED

In this example, several connections are cited as being in the SYN_RECEIVED state, most likely indicating that this system is under a SYN-flood attack. Note, however, that the preceding output also contains connections cited as being in the ESTABLISHED state; these are legitimate connections, which remain unaffected even after the SYN-flood attack on the target system. 

NOTE :- SYN packets are used in conjunction with half-open connections for stealth port scanning, also called half-open port scanning. For more details, read "Port Scanning

Countermeasure
There is no single countermeasure you can take to protect your system against SYM-flood attacks. There are, however, certain steps you can take to minimize the risk of damage caused by such attacks:

• Reduce the duration of time require for a connection to time out. This will ensure that if numerous spoofed connection requests are sent to the target system, these requests will be discarded more quickly, thus minimizing memory consumption and thereby mitigating the risk of such attacks. Although this will minimize the hogging of system resources, it is not a very good countermeasure against SYN attacks because sometimes even legitimate users might be disconnected by the target system.
• Increase the number of connection requests that can be accepted by the host at one time. One downside to this is that more memory and system resources will be consumed. 
• Install vendor-specific updates and patches. Whenever a new type of attack becomes prevalent on the Internet, each vendor usually comes out with its own version of a countermeasure for its software. For this reason, it is sometimes a good idea to turn to the company whose software you have installed on your system for a countermeasure to a particular type of an attack.
• Use a firewall. They detect SYN attacks, respond with fake replies, and try to trace the spoofed source address to the actual attacker. It is also important to ensure that the firewall has been updated. For more details, read TCP SYN Flooding and IP Spoofing Attacks.

-------------------------------------------------------------------------------------------------------
Next Post   ------>>>   Land Attacks
-------------------------------------------------------------------------------------------------------

Read More

Land Attacks

A land attack is similar to a SYN attack, the only difference  being that instead of including an invalid IP address, the SYN packets include the IP address of the target system itself. More specifically, the source IP address and port number are identical to the destination IP address and port number. As a result, an infinite loop is created within the target system, which ultimately hangs and crashes.

Countermeasure :- The easiest way to protect your system against land attacks is to install a firewall or filtering utility that filters out outgoing packets whose destination IP address is the same as the IP address of the local system.

-------------------------------------------------------------------------------------------------------
Next Post   ------>>>   Smurf Attacks
-------------------------------------------------------------------------------------------------------

Read More

SYN/ACK Packets

To gain a better understanding of SYN and ACK packets, read the following:

• ACK. TCP/IP demands that both the source and destination systems transmit and receive acknowledgement messages to confirm the safe and proper transfer of data. These acknowledgement messages are known as ACK messages or ACK packets. For example, suppose there are two systems, A and B, and that A sends the first (X1) of a series of packets to B. A will not send the second packet in the series (X2) to B until B acknowledges that it received the first packet (ACK X1). If A does not receive an ACK message, then a timed-out occrs, and A will resend the data to B.
• SYN. A SYN packet is noting but a normal TCP packet with the synchronize (SYN) flat switched on. This flat indicates that the sender wants to establish a three-way TCP/IP connection with the destination system.

Read More

SYN-Flood Attacks

This post focuses on one of the most common and easiest to execute DOS attacks, known as SYN flooding. The idea behind SYN flooding is to flood the target system with connection requests from spoofed source addresses. As the target system tries to establish full connections with all these requests, its memory is hogged. As a result, the target system is unable to provide services to legitimate users or clients.

The further clarify, suppose you have a single telephone connection with 10 parallel lines --- that is, 10 lines with the same telephone number. If you use 10 different telephones to simultaneously dial this number, then all 10 parallel lines of the target connection will be used to answer your 10 calls. Even if a legitimate client is trying to call the number (which is under attack by you), he will not be able to get through. SYN flooding is like this, but even better; in the case of SYN flooding, the "calls" are made from a spoof source address, making it difficult (but not impossible) to trace.

How It Works

 SYN flooding works by exploiting the three-way handshake that occurs any time two systems across the network initiate a TCP/IP connection. Here's what happens in a tpical three-way handshake:

1. The source system (client) sends a SYN packet to the destination system (host).
2. The destination system replies with a SYN packet and acknowledges the source system's SYN packet by sending an ACK packet by sending an ACK packet.
3. The source system sends an ACK packet to acknowledge the SYN/ACK packet sent by the host.

 Only when these three steps are completed is a TCP/IP connection established between the  source system and the host.

More about SYN/ACK Packets

In a SYN-flooding attack, several SYN packets are sent to the target host, all with an invalid source IP address. When the target system receives these SYN packets, it tries to respond to each one with SYN/ACK packet, but because the source IP address in the original SYN packet is invalid, these SYN/ACK packets are simply sent into the void. Even so, the target host waits in vain for an ACK message from the source system, and as it does, additional requests with invalid IP addresses queue up behind the original once, and the whole cycle starts again. Eventually, due to the large number of connection requests, the target system's memory is consumed, and that system is therefore unable to cater to requests for information made by legitimate users.

In accordance with the rules of TCP/IP, the system will time out after a certain period of time has passed. when this happens, the connections requests queued up on the target system are discarded, thereby freeing a large part of the hogged-up memory. In a typical SYN-flood attack, however, the attacker sends connection requests from spoofed addresses more quickly than the earlier connection requests can be timed out. Because the attacker continuously sends more and more connection requests, the target system's memory is continuously consumed.

Countermeasure  1 :- In order to actually affect the target system, a large number of SYN packets with invalid IP addresses must be sent.

Countermeasure  2 :- SYN flooding is commonly used in the process of IP spoofing. IP spoofing is discussed later in this chapter in the section titled  "IP spoofing Attacks"

-------------------------------------------------------------------------------------------------------

-------->>      Detecting a SYN-Flood Attack

-------------------------------------------------------------------------------------------------------

Read More

Teardrop Attacks

Whenever data is sent over the Internet, it is broken into fragments at the source system and reassembled at the destination system. For example, suppose you need to send 4,000 bytes of data from one system to another. Rather than sending the entire chunk in a single packet, the data is broken down into smaller packets, each packet carrying a specified range of data like so:

• Packet 1 will carry bytes       1-1500.
• Packet 2 will carry bytes 1501-3000.
• Packet 3 will carry bytes 3001-4000.

Each packet has an Offiset field in its TCP header part that specifies the range of data (that is, the specific bytes of data) being carried by that particular data packet. This along with the value in the Sequence Number field, helps the desination system reassemble the data packets in the correct order.

In a teardrop attack a series of data packets is sent to the target system with overlapping Offer field values. As a result, the target system cannot reassemble the packets and is forced to crash, hang, or reboot.

Still not quite clear on how this works? Let's examine how a system receives data packets under normal circumstances. (Note that the underscore character ( _ ) equals one data packet.) As you can see here, no bytes overlap between packets:

- - - - - - - - - - - -
(Bytes 1-1500) (Bytes 1501-3000) (Bytes 3001-4500)

In a teardrop attack, however, the data packets sent to the target computer contain bytes that overlap with each other:

- - - - - - - - - - - - -
(Bytes 1-1500) (Bytes 1501-3000) (Bytes 1001-3600)

When the target system receives a series of packets like the one shown here, it cannot reassemble the data and, therefore, will crash, hang or reboot.

Countermeasure :-  To protect your system from teardrop attacks, make sure you have the latest patches from your vendor, For more information about these types of attacks and the countermeasures you can take.

-------------------------------------------------------------------------------------------------------
Next Post   ---------->>>   SYN-Flood Attacks
-------------------------------------------------------------------------------------------------------

Read More

Ping of Death

The ping command makes use of the ICMP echo request and echo reply messages and is commonly used to determine whether the remote host is alive. In a Ping of Death attack, however, ping causes the remote system to hang, reboot, or crash. To do so, the attacker uses the ping command in conjunction with the -l argument (used to specify the size of the packet sent) to ping the target system with a data packet that exceeds the maximum bytes allowed by TCP/IP (65,536). For example, the following ping command creates a giant datagram  that is 65,540 bytes in size (the output follows):

C:\windows>ping -l 65540 hostname
Pinging hostname [xx.yy.tt.pp] with 65,540 bytes of data:

Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61
Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61
Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61
Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61

Countermeasure :- Fortunately, nearly all systems these days are not vulnerable to the Ping of Death. Unless you are running an ancient system with an equally ancient operating system, you are almost sure to be protected from this type of DOS attack. To make sure that your software is patched, however, visit your vendor's Web site and check.

-------------------------------------------------------------------------------------------------------
Next Post   ------>>>   Teardrop Attacks
-------------------------------------------------------------------------------------------------------

Read More

DOS attacks

A denial of service (DOS) attack is an attack that clogs up so much memory on the target system that it cannot serve its users, or it causes the target system to crash, reboot, or otherwise deny services to legitimate users. These days, DOS attacks are very common; indeed, just about every server is bound to experience such an attack at some time or another.
There are several different kinds of DOS attacks, the most popular of which are follows:

• Ping of Death
• Teardrop attacks
• SYN-flood attacks 
• Land attacks
• Smurf  attacks
• UPD-flood attacks
• Distributed DOS attacks
• Modem-disconnect attacks

Read More

What is hacking?

A hacker is often someone who creates and modifies computer software and computer hardware, including computer programming, administration, and security-related items. In computer security, a hacker is usually someone who works with the security mechanisms for computer and network systems to strengthen them, it more often in used incorrectly, especially in the mass media, to refer to those who seek access despite them.

 

Read More