Glossary

     In security circles exist two groups, the BlackHats and the WhiteHats. The BlackHats are the CRACKERS who's primary goal is to exploit a system and compromise its resources. The WhiteHats are the HACKERS who's primary job function is to find security issues with a system and then fix them.

     There exists many definitions to many fundamentally different unconventional computing. The terms hacker and cracker are often used synonymously in the media although they are very different. The term hacker can be used to describe anyone who is extremely knowledgeable about a system and it's security mechanisms. A cracker on the other hand, may or may not posess the skills of a hacker but their motivation is to either steal secured data or damage a system resulting in denial of service (DoS). A hacker will often penetrate a secure system but their intent is to find the "hole" and fix it. A hacker is often employed by security organizations and governments to find a hole in a secured system and fix it before a cracker does.

     An attack is performed by a cracker who intends to either deny a corporation or organization of sending or receiving data that is fundamental to their operations. An attack may also be when a cracker breaks into a secure system and either destroys the system or secretly steals confidential data.

     In today's business operations, the Internet is the primary media for data transactions which are fundamental to corporate productivity. Another attack known as the Denial of Service (DoS) is when a cracker exploits known problems in networking technologies to deny a target from making data transactions over the Internet. A data transaction can be a large financial firm transferring electronic funds or it can simply be someone surfing the internet and checking email.

     It is important to note that any good security consultant must have a good knowledge of the C language. The consultant should also understand C impemented on various UNIXs and the GNU C libraries. A very good consultant will be able to understand what a small C exploit program is intended to do and how to compile it and test systems in which he is employed to protect. Many self designated hackers use pre-made security scripts or scanners which are useful for the prelude, but security cannot stop there, not at the Win32 shareware level. Proprietary services must be tested against buffer overrun attacks, scalability (denial of service), etc...

BOT, IRCBot

The term BOT stands for robot, also known in the media as a zombie and is in part, a trojan. The purpose of the BOT is for use in an attack against a single host using the Denial of Service (DOS) method of overloading a network. The BOT is a small file on a computer which listens for its owner to instruct it what to do. BOTs most often live on Windows 9x machines which have high-speed internet connections such as Cable and DSL. When grandma starts the computer with that new DSL line, she has no idea a trojan lives in her system communicating with its owner over the network.

IRCBots log into an irc channel and silently wait for instructions. The owner will issue a command for all BOTs to PING a host on the internet. If the owner has up to 200 BOTs all connected to high-speed internet connections, the host will be flooded with network traffic and will be unable to serve e-mail, webpages, etc... Thus, the server is denied from its usual service (DoS). Installing the BOTs on the Microsoft machines used by the casual user is another topic, they are most often distributed in Freeware and Shareware software, thus giving it the trojan methodology.

This type of attack is a Denial of Service attack. More specifically, this particular attack is a Distributed Denial of Service attack or DDoS. It is distributed because many machines share in the offensive attack.
```
	To scan for IRCBots:

	IRC BOT detection:
		c:\>netstat -an | find ":6667"
	check for client IDENT server:
		c:\>netstat -an | find ":113 "

	Remember that by logging into an IRC channel and listening, the BOT
	can bypass NAT protection. It is a client in the IRC channel,
	initiating the connection thus the NAT device opening the RX port
	for outside contact and command control.
	
```
Denial of Service (DoS)

The term Denial of Service refers to an event in which a particular service is hampered from its normal or intended routine. A DoS can occur any time a cracker breaks into a system and damages it enough to stop serving web documents or "E" transactions. Even sending the well known "+++ATH" command to a home user causing a modem hangup from their ISP is considered a DoS attack and is an FEDERAL FCC offense.

Most DoS attacks occur without a system compromise (or intrusion). The attack is applied through network problems that exist in the internet. One example is when multiple computers with high-speed network connections send data packets as fast as they can to the target host. The host will be flooded by network activity and may crash trying to answer certain types of connection requests in large volume.
Script Kiddie

The script kiddie is a cracker who scans networks probing for information related to what type of systems are present and what software versions these systems are running. The kiddie's software is creating a database as this internetworked probing takes place. When a new exploit is found the script kiddie will query their database for systems running software which has the vulnerability to the exploit. This happens hours after the exploit is discovered.

The script kiddie will then gain root access to the system and apply a fix or "patch" to keep other script kiddies out of the system. This is often the prelude to a distributed denial of service (DoS) attack against a pre-determined host.
Spoof

The term spoofed is used to describe an IP packet that has a return address (or senders address) that is NOT the true address of the packet's sender. The term spoofed is also used to describe any other data that is sent with the sender's return information malformed or purposely incorrect.

The spoofed packet can be used for a wide range of purposes. A spoofed sequence of packets when port scanning can conseal your IP by camoflaging it with spoofed or "fake" IPs that will appear in with yours in a system log file. A spoofed packet is used in the LAND and is also the basis of session hijacking and trust relationship exploitation combined with DoS attacks on the trusted host.

DoS - Denial of Service Attacks

     The following attack concepts require an intermediate knowledge of the TCP/IP protocol. More information can be found on the TCP/IP protocol in the network section of the helpdesk.

Teardrop

     An attacker sends the target computer a packet that is just the right size that it must be broken into two fragments. One of the fragments is too small. The target computer sits and waits for a correct size packet. Then the target computer starts overwriting it's own memory and crashes. If you are running a Windows system, you get the Blue Screen of Death.

Bonk and Boink

     A Bonk and Boink attack do the opposite of a Teardrop attack. They send the target computer a packet that gets fragmented, with one fragment being too large. Blue Screen of Death again.

Ping of Death

     An exploit that was originally ran from Windows computers. Ping is normally a small packet sent out to the Internet to discover if a computer is up and running. Nobody said it had to be small though. In fact, Windows computers let you send out a packet that is way too large. This caused many Unix servers to crash.

Land

     The attacking computer sends a packet to a port on the target computer that makes it look like it came from that same port on the target computer (spoofed socket). The target computer could then open a transmission control block to communicate with itself. The target instantly goes down.

SYN Flooding

     For my computer to talk to your computer, I send you a TCP/IP packet with the Synchronize (SYN) bit set. You send me back a packet with the Synchronize/Acknowledgement (SYNACK) bit set, then I send you a plain old acknowledgement (ACK). It's called the three way handshake, this is the fundamental process of the TCP/IP connection for reliable communications. If I send out SYN packets with the source address spoofed to be some computer that is not actually running anywhere on the Internet, then your computer will send the SYNACK out and wait indefinitely for the ACK to come back. The SYNACK packet eventually gets discarded by a router somewhere out there when it's TTL reaches 0 (because the packets destination does not really exist).

     The attack: If an attacking computer sends 8000 SYN packets to port 25 on the target computer, the target will not get any more email. Port 80, the target doesn't deliver any more web pages. If the attacking computer (or user) knows you are running a telnet session from Host B, the attacking computer can SYN flood host B to DoS attack for an unspecified period of time, then, the attacking computer (user) can send the target computer (user) packets that look like they came from Host B. This could do any number of things such as (if root): "# rm -rf /". This is called session hijacking.

Smurf and Fraggle

     Lets say there is some computer out there who's IP address is 10.1.1.1. The network it rides on is more than likely identified as 10.1.1.0. There can be up to 254 computers on the 10.1.1.0 network, and if you want to send information to all of them, you send it to the network broadcast address, which is 10.1.1.255. In that case, every computer on the network will send you a reply.

     The attack: The attacking computer broadcasts spoofed ping or UDP packets so that they look like they came from the target computer. In other words, the attacking computer sends out one small packet, and the target receives up to 254 packets it never asked for. If the attacking computer really pump them out, the target winds up receiving so much garbage that the connection slows to a grind.

WinNuke

     If you are telnetted to another computer, and you suddenly type in Control-C, the telnet application knows what to do. It sends out a packet with the push bit (PSH) set. The other computer sees this packet and stops whatever it was doing to give you back your prompt. This is known as Out Of Band (OOB) data. With telnet, it's normal application layer protocol data. But on a Windows computer, you are using a protocol hook known as NetBIOS (it's what puts all those computers in your Network Neighborhood). NetBIOS never expects OOB data. It receives a packet with the PSH bit set, it crashes.