Hacking
Cli ck To To En ter The Vent ure
1
2
Index
•
•
•
•
•
•
•
•
Evolution Hacking Hacking Introduction To- Cyber Crime Special Attraction Viruses Hacking XP Glossary Prepared By
Back 3
4
Evolution of Hacking Astonishingly, hacking did not instigate as an antisociety activity. The entire story of hacking started with the belief that there is always more than one way to solve a problem. People also wanted to admittance the information free of cost at any time.
Computer hacking started in the late 1950s. Before that, computers and programming languages were not easily easily reached. Problems were solved by repeating known and successful computing methods. To Work on computers, people needed formal problems and predesigned solutions. Computers were allotted to professionals based on priority of their requ requir irem emen ents ts.. Th Thee rest restri rict cted ed use use of compu compute terr reso resour urce cess redu reduce ced d the the chanc chances es for for any experiments with early computers. The authorities of Massachusetts Institute of Technology (MIT) allowed people to access their TX-0 resources without any restrictions after official hours. That was the first time when computer users got a chance to experiment with different methods for solving problems. In other words, that was the beginning of the hacker community. However, the prime aim of those hackers was to experiment with new solutions without any malevolent intent. The earlier hackers performed their activities with a strong belief that there is always a space for enhancement. They performed their activities without any predefined structure and time schedules. In parallel to the computers hacking activities, a new type of hackers, phreaks, came into into existe existence. nce. Phreaks Phreaks first first access accessed ed telepho telephone ne networ networks ks by using using handhel handheld d electr electroni onicc devices. Phreaks used those devices to make modifications to pay telephones to make free telephone calls. To try to be like payments in pay telephones, they used devices, such as red boxes. In the the early early 198 1980s 0s,, a new compu computi ting ng era era star starte ted d by conn connect ectin ing g comput computer erss and telephone networks with the help of modems. Personal computers became popular. Users started to use modems and telephone networks to connect personal computers and mainframe computers. The access to the computers connected to the internet opened the entire world of computers to the hackers community. The rapid growth of the internet technologies changed the profile of hackers.
Back 5
6
Index
•
What Is Hacking?
•
How Do Hackers Hack?
•
Classes Of Hacker
•
How To Became Hacker ?
•
Common Hacking Techniques
•
Passwords
•
Sniffers: Basics and Detection
7
Back
8
9
What is Hacking? Hacking is an act of penetrating computer systems to gain knowledge about the system and how it works.
What are Hackers? Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to the technical workings of a computer. Such a definition presents the term in a more positive light than is usually associated with the term. Most people understand a hacker to be what is more accurately known as a 'cracker'
What are Crackers? Cracke Crackers rs are people who try to gain gain unauth unauthori orized zed access access to comput computers ers.. This This is normally done through the use of a 'backdoor' program installed on your machine. A lot of crackers also try to gain access to resources through the use of password cracking software, which tries billions of passwords to find the correct one for a ccessing a computer.
What damage can a Hacker do? This This depends depends upon what what backdoo backdoorr program program(s) (s) are hiding hiding on your your PC. Diff Differe erent nt programs can do different amounts of damage. However, most allow a hacker to smuggle another program onto your PC. This means that if a hacker can't do something using the backdoor program, he can easily put something else onto your computer that can. Hackers can see everything you are doing, and can access any file on your disk. Hackers can write new files, delete files, edit files, and do practically anything to a file that could be done to a file. A hacker could install several programs on to your system without your knowledge. Such programs could also be used to steal personal information such as passwords and credit card information
Back
10
11
How do Hackers hack? There are many ways in which a hacker can hack. Some are as follows – * NetBIOS * ICMP Ping * FTP * rpc.statd * HTTP
NetBIOS NetBIOS hacks are the worst kind, since they don't require you to have any hidden backdoor backdoor program running on your computer. computer. This kind of hack exploits a bug in Windows 9x. NetBIOS is meant to be used on local area networks, so machines on that network can share information. Unfortunately, the bug is that NetBIOS can also be used across the Internet - so a hacker can access your machine remotely.
ICMP ‘Ping’ (Internet Control Message Protocol) ICMP is one of the main protocols that make the Internet work. It standards for Internet Control Message Protocol. 'Ping' is one of the commands that can be sent to a computer using ICMP. Ordinarily, a computer would respond to this ping, telling the sender that the computer does exist. This is all pings are meant to do. Pings may seem harmless enough, but a large number of pings can make a Denial-of-Service attack, which overloads a computer. Also, hackers can use pings to see if a computer exists and does not have a firewall (firewalls can block pings). If a computer responds to a ping, then the hacker could then launch a more serious form of attack against a computer.
FTP (File Transfer Protocol) FTP is a standard Internet protocol, standing for File Transfer Protocol. You You may use it for file downloads from some websites. If you have a web page of your own, you may use FTP to upload it from your home computer to the web server. However, FTP can also be used by some hackers... hackers... FTP normally normally requires some form of authentication authentication for access to private private files, or for writing to files FTP backdoor programs, such as* Doly Trojan 12
* Fore * Blade Runner simply turn your computer into an FTP server, without any authentication.
Rpc.Statd This is a problem specific to Linux and Unix. The problem is the infamous unchecked buffer overflow problem. This is where a fixed amount of memory is set aside for storage of data. If data is received that is larger than this buffer, the program should truncate the data or send back an error, or at least do something other than ignore the problem. Unfortunately, the data overflows the memory that has been allocated to it, and the data is written into parts of memory it shouldn't be in. This can cause crashes of various different kinds. However, a skilled hacker could write bits of program code into memory that may be executed to perform the hacker's evil deeds.
HTTP HTTP stands for HyperText Transfer Protocol.. HTTP hacks can only be harmful if you are using Microsoft web server software, such as Personal Web Server. There is a bug in this software called an 'unchecked buffer overflow'. If a user makes a request for a file on the web server with a very long name, part of the request gets written written into parts of memory that contain active program code. A malicious user could use this to run any program they want on the server.
Back
13
14
Classes of Hackers Today, it is very difficult to distinguish between hackers, crackers, and script kiddies. Therefore, hackers have been categorized into different groups based on the nature of their tricks: •
White hats
•
Black hats
•
Gray hats
White Hats White hat hackers use their skills and knowledge for good purposes. These hackers help to find out new security vulnerabilities and their solutions. White hats do not hack systems with any bad intent. They like experimenting and believe that there is always a better solution than the current one. White hat hackers always inform the vulnerabilities they discovered to the concerned security professionals weakness of that system and help the system administrator to implement better security measures is a White hat hacker.
Black Hats Black hat hackers perform their activities with bad intentions. Black hats perform illegal illegal activities, activities, such as destroyi destroying ng data, denying services to legitimate legitimate users, and defacing defacing Web sites. For example, a hacker who breaks into the network of a bank and steals thousands of dollars by transferring it to other banks is a black hat. Black hat hackers share their experiments with other crackers but not with the concerned security professionals.
Grey Hats Gray hat hackers hackers are those those people people who do not believe believe in categor categorizi izing ng hacking hacking activities as good or bad. Gray hats believe that some of the activities, which are condemned by white hats, are harmless. Gray hat hackers might share the results of their experiments with both security professionals and crackers.
15
The Hacker Ha cker Attitude Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude. But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. They're also important because becoming the kind of person who believes these things is important, for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters -- not just intellectually but emotionally as well. (lots of these on alt.2600.hgackerz) So, if you want to be a hacker, repeat the following things until you believe them:
1. The world is full of fascinating problems waiting to be solved. Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. effort. The effort takes motivation. motivation. Successful Successful athletes get their motivation motivation from a kind of physical physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval. ( so I would take it all hackers are wankers lol ).You also have to develop a kind of faith in your own learning capacity -- a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece -- and so on, until you're done. ( I agree )
2. Nobody should ever have to solve a problem twice. Creative brains are a valuable, limited resource. They shouldn't be wasted on reinventing the wheel when there are so many fascinating new problems waiting out there. To behave like a hacker, you have to believe that the thinking time of other hackers is precious -- so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones. (You don't have to believe that you're obligated to give all your creative product away, though the hackers that do that get the most respect from other hackers. It's definitely OK to sell enough of it to keep you in food and rent 16
and computers. It's OK to use your hacking skills to support a family or even get rich, as long as you don't forget you're a hacker while you're doing it.)
3. Boredom and drudgery are evil. Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do -- solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil. To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everyb everybody ody else else (especi (especiall ally y other other hackers hackers). ). (There (There is one apparen apparentt excepti exception on to this. this. Hackers will sometimes do things that may seem repetitive or boring as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice -- nobody who can think should ever be forced into boredom.)
4. Freedom is good. Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solvin solving g whatev whatever er proble problem m you you're 're being being fascin fascinate ated d by -- and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers hackers.. (This (This isn't the same as fighti fighting ng all authority authority.. Childr Children en need to be guided guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.) Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing -- they only like cooperation that they control. So to b ehave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief.
5. Attitude is no substitute for competence. To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. star. Becoming a hacker hac ker will take intelligence, practice, dedication, and hard work. 17
Therefore, you have to learn to distrust attitude and respect competence of every kind. Hacker Hackerss won't won't let posers posers waste waste their their time, time, but they worship worship compete competence nce -- especi especiall ally y competence at hacking, but competence at anything is good. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best. If you revere competence, you'll enjoy developing it in yourself -- the hard work and dedication will become a kind of intense play rather than drudgery. And that's vital to becoming a hacker. h acker.
Back
18
19
How To To Become B ecome A Hacker Looking Looking for advice advice on learni learning ng to crack crack passwo passwords rds,, sabota sabotage ge syste systems, ms, mangle mangle webs websit ites es,, writ writee viru viruse ses, s, and plant plant Troja rojan n hors horses es?? You came came to the the wron wrong g place place.. Looking for advice on how to learn the guts and bowels of a system or network, get inside it, and become a real expert? Maybe I can help there. How you use this knowledge is up to you. I hope you'll use it to contribute to computer science and hacking (in its good sense), not to become a cracker or vandal. This little essay is basically the answers to all the emails I get asking how to become a hacker. It's not a tutorial in and of itself. It's certainly not a guaranteed success. Just give it a try and see what happens. That said, here's where to start: Be curious
Take things apart. Look under the hood. Dig through your system directories and see what's in there. View the files with hex editors. Look inside your computer. Wander around computer stores and look at what's there. Read everything in sight
If you can afford it, buy lots of books. If you can't, spend time in libraries and online. Borrow books from friends. Go through tutorials. Read the help files on your system. If you're using Unix/Linux, read the man files. Check out the local college bookstores and libraries. And as you're reading, try things (see next paragraph). Experiment
Don't be afraid to change things, just to see what'll happen. Do this long enough, of course, and you'll wipe out your system (see next paragraph), but that's part of becoming a hacker. Try command options and switches you've never tried before. Look for option menus on programs and see what they can do. In Windows, tweak your registry and see what happens. Change settings in .INI files. In Unix, dig around in the directories where you don't normally go. On the Macintosh, play around in the system folder.
20
Make backups
If you start mucking around with system files, registries, password files, and such, you will eventually destroy your system. Have a backup ready. If you can afford it, have a system you use just for experimenting, ready to reload on a moment's notice, and do your serious work (or serious gaming!) on a different computer. Don't limit yourself
Who says a computer or network is the only place to hack? Take apart your telephone. Figure out your television (careful of the high voltage around the picture tube - if you fry yourself, it's not my fault) and VCR. Figure out how closed captioning works (that was a plug for my CaptionCentral.com Web site). Take apart your printer. Pick up the latest issues of Nuts & Volts and Midnight Engineer (you've obviously made a good start if you're reading Blacklisted! 411). Take apart the locks on your doors. Figure out how your radio works. Be insatiably curious and read voraciously. There are groups you can learn from. There are whole Web sites devoted to hacking TiVo units, for example. Get some real tools
You can't cut a board in half with a screwdriver. Well, maybe you can, but it'll take a long time. Dig around and find the proper tools for the operating systems you're using. They're out there on the Web. You can get some pretty good stuff as shareware or freeware (especially on Linux). The serious power tools often cost serious money mone y. What kinds of tools? Hex file editors. Snoopers that analyze system messages and network traffic. Compilers and APIs for programming. Scripting tools. Disk editors/formatters. Disassemblers. When you get good, write some of your own. Learn to program
If you want to be a hacker, hacker, you're going to have to learn to program. The easiest easiest way to start start depends depends on the operating operating system system you'r you'ree using. using. The choice choice of languag languagee is very individual. It's almost a religious thing. Suggest a programming language to a beginner, and someone will disagree. Heck, you'll probably get flamed for it in a newsgroup. In Unix, I'd suggest getting started with Perl. Buy a copy of the camel book (Programming Perl) and the llama book (Learning Perl). You'll have the fundamentals of programming really fast! The 21
best part is that the language itself is free. In Windows, you can get started quickly using a visual development environment like Visual Basic or Java. No matter what the system, if you want to get serious, you'll eventually need to learn C (or C++ or C# or some other variant). Real hackers know more than one programming language, anyway, because no one language is right for every task. Learn to type
Hackers spend a lot of time at their keyboards. I type 90+ wpm (according to the Mavis Beacon typing tutor). HackingWiz (of hackers.com and Hacker's Haven BBS fame) says he can type 140+ wpm. The typing tutor may be boring, but it pays pa ys off. Use real operating systems
Windows 95/98/Me is a shell on top of a 32-bit patch to a 16-bit DOS. Get some real operating systems (Linux, Windows NT, Mac OS, OS/2...) and learn them. You can't call yourself a linguist if you only know one language, and you certainly can't call yourself a hacker if you only know one OS. Linux is a hacker's dream. All the source code is freely available. Play with it, analyze it, learn it. Eventually, perhaps you can make a contribution to Linux yourself. Who knows, you might even have a chance to write your own OS. Talk to people
It's hard to learn in a vacuum. Take classes. Join users groups or computer clubs. Talk to people on IRC or newsgroups or Web boards until you find people to learn with. That can take a while. while. Every third message on newsgroups newsgroups like alt.hack* is "teach me to hack." Sigh. The best way to be accepted in any group is to contribute something. Share what you learn, and others will share with you. Do some projects
It's important to pick some projects and work until you've finished them. Learning comes from doing, and you must follow the project through start to finish to really understand it. Start really simple. Make an icon. Customize your system (the startup screen on Win95, or the prompt on Unix). Make a script that performs some common operation. Write a program that manipulates a file (try encrypting something). 22
Learn to really use the Internet
Start with the Web. Read the help for the search engines. Learn how to use Boolean searches. Build up an awesome set of bookmarks. Then move on to other Internet resources. Get on Usenet. Find some underground BBSs. Get on IRC. You'll find useful information in the strangest places. Get to the point where you can answer your own questions. It's a whole lot faster than plastering them all over various newsgroups and waiting for a serious answer. Once you've gone through these steps, go out and contribute something. The Internet was built by hackers. Linux was built by hackers. Usenet was built by hackers. Sendmail was built by hackers. Be one of the hackers that builds something.
Back
23
24
Common Hacking Techniques The Various Various Hacking H acking techniques include: •
Denial-of-service
•
Trojan Horses
•
Spoofing
•
Sniffing
•
Password Cracking
Denial-Of-Service attacks Methods of attacks
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: • Attempts to "flood" a network, thereby preventing legitimate network traffic; • Attempt to disrupt a server by sending more requests than it can possibly handle, thereby preventing access to a service; • Attempts to prevent a particular individual from accessing a service; • Attempts to disrupt service to a specific system or person. Attacks can be directed at any network device, including attacks on routing devices and Web, Web, electronic mail, or Domain Name System servers. A DOS attack can be perpetrated in a number of ways. There are three basic types of attack: 1. Consumption of computational resources, such as bandwidth, disk space, or CPU time; 2. Disruption of configuration information, such as routing information; 3. Disruption of physical network components. In addition, the US-CERT has provided tips on the manifestations of DoS attacks: • Unusually slow network performance (opening files or accessing web sites) • Unavailability of a particular web site • Inability to access any web site • Dramatic increase in the number of o f spam emails received
25
SYN floods Main article: SYN flood A SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half half-o -ope pen n conn connect ectio ion, n, by sendi sending ng back back a TCP/ TCP/SY SYNN-AC ACK K packe packet, t, and and wait waitin ing g for for an TCP/ACK packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections consume resources on the server and limit the number of connections the server is able to make, reducing the server's ability to respond to legitimate requests until after the attack ends. When a computer wants to make a TCP/IP connection (the most common internet connection) to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server will allow connections, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet detailing the specifics of its connection. In a SYN flood the address of the client is often forged so that when the server sends the go-ahead back to the client, the message is never received because the client either doesn't exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a dead connection, reserved for a client that will never respond. Usually this is done to one server many times in order to reserve all the connections for unresolved clients, which keeps legitimate clients from making connections. The classic example is that of a party. Only 50 people can be invited to a party, and invitations are available on a first-come first-serve basis. Fifty letters are sent to request invitations, but the letters all have false return addresses. The invitations are mailed to the return addresses of the request letters. Unfortunately, all of the return addresses provided were fake, so nobody, or at least nobody of interest, receives the invitations. Now, when someone actually wants to come to the party (view the website), there are no invitations left because all the invitations (connections) have been reserved for 50 supposed people who will never actually show up.
26
LAND attack Main article: LAND attack A LAND attack involves involves sending sending a spoofed spoofed TCP SYN packet (connection (connection initiation) initiation) with the target host's IP address with an open port as both source and destination. The attack causes the targeted machine to reply to itself continuously and eventually crash. ICMP floods A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on mis-configured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. To combat Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action ac tion such as filtering. Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping -f" command. It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.
UDP floods UDP floods include "Fraggle attacks". In a fraggle attack an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it hav ing a fake source address. a ddress. It is a simple rewrite of the smurf attack code.
Teardrop attack aattack ttack The Teardro eardrop p attack attack involv involves es sendin sending g IP fragme fragments nts with with overlapp overlapping ing oversiz oversized ed payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code caused the fragments to be improperly handled, crashing the operating system as a result. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to 2.0.32 and 2.1.63 are vulnerable to this attack. Application level floods On IRC, IRC floods are a common co mmon electronic warfare weapon. Various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time. 27
Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resour resources ces.. Bandwi Bandwidth dth-sa -satur turati ating ng floods floods rely rely on the attack attacker er having having higher higher bandwid bandwidth th available than the victim; a common way of achieving this today is via Distributed Denial of Servic Service, e, employ employing ing a botnet. botnet. Other Other floods floods may use specif specific ic packet packet types types or connect connection ion requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs. A "banana attack" is another particular particular type of DoS. It involves involves redirecting redirecting outgoing messages from the client back onto the client, preventing outside access, as well as flooding the client with the sent packets. An attacker with access to a victim's victim's computer may slow it until it is unusable unusable or crash it by using a fork bomb. A 'Pulsing zombie' is a term referring to a special denial-of-service attack. A network is subjected to hostile pinging by different attacker computers over an extended amount of time. This results results in a degraded degraded quality quality of service service and increased workload workload for the network's network's resources. This type of attack is more difficult to detect than traditional denial-of-service attacks due to their surreptitious nature.
Nukes Nukes are malformed or specially crafted packets. WinNuke is a type of nuke, exploiting the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data is sent to TCP port 139 of the victim machine, causing it to lock up and display a Blue Screen of Death. This attack was very popular between IRCdwelling script kiddies, due to easy availability of a user-friendly click-and-crash WinNuke program.
Distributed Distributed attack A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually a web server(s). These systems are compromised by attackers using a variety of methods. Malware can carry DDoS attack mechanisms; one of the more well known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack. 28
A system system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web. Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are comp comprom romis ised ed via via the the handl handler erss by the the atta attack cker er,, usin using g automa automate ted d rout routin ines es to expl exploi oitt vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. Thes Th esee coll collec ecti tions ons of compr comprom omis ised ed syst system emss are are know known n as botnet botnets. s. DDoS DDoS tool toolss like like stac stachel heldr draht aht stil stilll use use clas classi sicc DoS DoS atta attack ck meth method odss cente centere red d aroun around d ip spoo spoofi fing ng and and amplification like smurf and fraggle attacks (these are also known as bandwidth consumption attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer tools can use DNS servers for DoS purposes. (see next section) Unlike MyDooms DDoS mechanism, botnets can be turned against any ip address. Script kiddies use them to deny the availability of well known websites to legitimate users. More sophisticated attackers use DDoS tools for the purposes of extortion -- even against their business rivals. It is important to note the difference between a DDoS and DoS attack. If an attacker mounts a smurf attack from a single host it would be classed as a DoS attack. In fact, any attack attack against against availa availabil bility ity (e.g. (e.g. using using High-e High-ener nergy gy radioradio-fre frequen quency cy weapons weapons to render render computer equipment inoperable) would be classed as a Denial of Service attack, albeit an exot exotic ic one. one. On the the othe otherr hand hand,, if an atta attack cker er uses uses a thou thousa sand nd zomb zombie ie syst system emss to simultaneously launch smurf attacks against a remote host, this would be classed as a DDoS attack.
Reflected attack A distributed reflected denial of service attack involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. ICMP ICMP Echo Echo Requ Reques estt atta attacks cks (des (descr crib ibed ed above above)) can can be cons consid ider ered ed one one form form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis29
configured networks, thereby enticing a large number of hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack. Many services can be exploited to act as reflectors, some harder to block than others. DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier.
Unintentional Unintention al attack Unintentional This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of o f a news story. The result is that a signif significa icant nt propor proportio tion n of the primar primary y site's site's regula regularr users users — potent potential ially ly hundred hundredss of thousands of people — click that link in the space of a few hours, having the same effect on the target website as a DDoS attack. News sites and link sites — sites whose primary function is to provide links to interesting content elsewhere on the Internet — are most likely to cause this phenomenon. The canonical example is the Slashdot effect. Sites such as Digg, Fark, Something Awful and the webcomic Penny Arcade have their own corresponding "effects", known as "the Digg effect", "farking", "goonrushing" and "wanging"; respectively. respectively. Routers have also been known to create unintentional DoS attacks, as both D-Link and Netgear routers have created NTP vandalism by flooding NTP servers without respecting the restrictions of client types or geographical geo graphical limitations. Incidents The first major attack involving DNS servers as reflectors occurred in January 2001. The attack was directed at the site Register.com. This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of DNS servers that was at least a year old (at the time of the attack.) In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that was analyzed turned out to be yet another DDoS agent, which implemented several DNS related attacks, including an optimized form of a reflection attack...
30
Effects Effects Denial of Service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by a DoS, meaning not only will the intended computer be compromised, but the entire network will also be disrupted. This is another, more complex form of the DDoS, wherein the "zombies" can be located on the target system itself, thus increasing network traffic on either side of the target. If the DoS is conducted on a sufficiently large scale, entire geographical swathes of Internet conne connect ctiv ivit ity y can can also also be comp compro romi mise sed d by inco incorr rrect ectly ly conf config igur ured ed or flim flimsy sy netw networ ork k infrastructure equipment without the attacker's knowledge or intent. For this reason, most, if not all, ISPs ban the practice. Common malware •
Stacheldraht
•
Tribe Flood Network
•
Trinoo
Prevention and response
Surviving attacks attacks The investigative process should begin immediately after the DoS attack begins. There will will be mult multip iple le phone phone calls calls,, call call backs backs,, emai emails ls,, pages pages and and faxe faxess betw betwee een n the the vict victim im organization, one's provider and others involved. It is a time consuming process, so the process should begin immediately. It has taken some very large networks with plenty of resources several hours to halt a DDoS. The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack. Filtering is generally pretty ineffective, as the route to the filter will normally be swamped so only a trickle of traffic will survive.
31
SYN Cookies Cookies SYN cookies modify the TCP protocol handling of the server by delaying allocation of resources until the client address has been verified. This seems to be the most powerful defens defensee against against SYN attacks attacks.. There There are solari solariss and Linux Linux implem implement entati ations ons.. The linux linux implementation can be turned on during runtime of the linux kernel.
Firewalls Firewalls Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. DoS attacks are too complex for today's firewalls. E.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Your router may be affected even before the firewall gets the traffic. Modern stateful firewalls like Check Point FW1 NGX & Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender", as it confirms TCP connections are valid before proxying TCP packets to service networks (including border routers).
Switches Most switches have some rate-limiting and ACL capability. Some switches provide automatic and or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.
32
Routers Similar to switches, routers have some rate-limiting and ACL capability. They too are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings
Application front end hardware Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.
IPS based prevention Intrusion-prevention systems are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. IPS systems which work on content recognition cannot block behavior based DoS attacks. An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.
Back
33
34
Passwords Passwords to access computer systems are usually stored, typically not in cleartext form, in a database so the system can perform password verification when users attempt to login. To preserve confidentiality of system passwords, the password verification data is typically generated by applying a one-way function to the password, possibly in combination with other data. For simplicity in this discussion, when the one-way function (which may be either an encryption function or cryptographic hash) does not incorporate a secret key, other than the password, we will refer to the one way function employed as a hash and its output as a hashed password. Even though functions that create hashed passwords may be cryptographically secure, possession of a hashed password provides a quick way to test guesses for the password by applying the function to each guess, and comparing the result to the verification data. The most commonly used hash functions can be computed rapidly and the attacker can test guesses repeatedly with different guesses until one succeeds, meaning the plaintext password has been recovered. The term password cracking is typically limited to recovery of one or more plaintext passwords from hashed passwords. Password cracking requires that an attacker can gain access to a hashed password, either by reading the password verification database (e.g., via a Trojan Horse, virus program, or social engineering) or intercepting a hashed password sent over an open network, or has some other way to rapidly and without limit test whether a guessed password is correct. Without the hashed version of a password, the attacker can still attempt access to the computer system in question with guessed passwords. However well designed systems limit the number of failed access attempts and can alert administrators to trace the source of the attack if that quota is exceeded. With the hashed password, the attacker can work undetected, and if the attacker has obtained several hashed passwords, the chances for cracking at least one is quite high. There There are also also many other ways ways of obtain obtaining ing passwo passwords rds illici illicitly tly,, such such as social social engineering, engineering, wiretapping, wiretapping, keystroke keystroke logging, logging, login spoofing, spoofing, dumpster dumpster diving, diving, phishing, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, identity management system attacks and compro compromis mising ing host host securi security ty (see (see passwo password rd for detail details). s). However However,, crackin cracking g usuall usually y designates a guessing attack. 35
Cracking may be combined with other techniques. For example, use of a hash-based challenge-response authentication method for password verification may provide a hashed passw password ord to an eavesdr eavesdroppe opperr, who can then then crack crack the passwo password. rd. A number number of stronge stronger r cryptographic protocols exist that do not expose hashed-passwords during verification over a network, either by protecting them in transmission using a high-grade key, or by using a zeroknowledge password proof.
Principal attack methods Weak encryption If a system uses a cryptographically weak function to hash or encrypt passwords, exploiting that weakness can recover even 'well-chosen' passwords. Decryption need not be a quick operation, and can be conducted while not connected to the target system. Any 'cracking' technique of this kind is considered successful if it can decrypt the password in fewer operations operations than would be required by a brute force attack (see below). The fewer operations operations required, the "weaker" the encryption is considered to be (for equivalently well chosen passwords). One example is the LM hash that Microsoft Windows uses by default to store user passwords that are less than 15 characters in length. LM hash breaks the password into two 7-character fields which are then hashed separately, allowing each half to be attacked separately. Progress in cryptography has made available functions which are believed to actually be "one way" hashes, such as MD5 or SHA-1. These are thought to be impossible to invert in practice. When quality implementations of good cryptographic hash functions are correctly used for authentication, password cracking through decryption can be considered infeasible.
Guessing Not Not surp surpri risi singl ngly y, many many user userss choos choosee weak weak pass passwo word rds, s, usua usuall lly y one rela relate ted d to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include: •
blank (none)
•
the word word "pas "passwo sword" rd",, "passc "passcode" ode",, "admin" "admin" and and their their deriva derivates tes
•
the the use user' r'ss nam namee or or log login in name name
•
the name name of their their signi signific ficant ant other other or or anoth another er rela relativ tivee
•
thei theirr birt birthp hpla lace ce or or date date of of birt birth h 36
•
a pet's name
•
auto automo mobi bile le lic licen ence ce pla plate te num numbe ber r
•
a simp simple le modif modific icat atio ion n of one of the the prec preced edin ing, g, such such as suffi suffixi xing ng a digi digitt or reversing the order of the letters.
•
a row of letter letterss from from a stan standa dard rd keybo keyboar ard d layout layout (eg, (eg, the the qwerty qwerty keybo keyboar ard d -qwerty itself, asdf, or qwertyuiop) and so on.
Some users even neglect to change the default password that came with their account on the the compu compute terr syst system em.. And And some some admin adminis istr trat ator orss negl neglect ect to chan change ge defa defaul ultt accou account nt passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configu configurat ration ion time, time, anyone anyone famili familiar ar with with such such system systemss will will have 'crack 'cracked' ed' an import important ant password; such service accounts often have higher access privileges than a normal user account. The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.
Dictionary attack A dictionary attack also exploits the tendency of people to choose weak passwords, and is related to the previous attack. a ttack. Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including: •
word wordss in vari variou ouss lang langua uage gess
•
names of people
•
places
•
comm common only ly used used pas password wordss
The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack attack can be automa automated ted and, and, on inexpe inexpensi nsive ve modern modern compute computers rs,, severa severall thousa thousand nd possibilities can be tried per second. Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems. 37
Brute force attack A last resort is to try every possible password, known as a brute force attack. In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords. This method is unlikely to be practical unless the password is relatively small. But, how small is too small? A common current length recommendation is 8 or more random randomly ly chosen chosen charact characters ers combin combining ing letter letters, s, number numbers, s, and specia speciall (punct (punctuat uation ion,, etc) etc) characters. Systems which limit passwords to numeric characters only, or upper case only, or, generally, generally, which exclude e xclude possible password character choices ch oices make such attacks easier. Using longer passwords in such cases (if possible on a particular system) can compensate for a limited allowable character set. And, of course, even with an adequate range of character choice, users who ignore that range (using only upper case alphabetic characters, or digits alone, for instance) make brute force attacks much easier against those password choices. Generic Generic brute-force brute-force search techniques techniques can be used to speed up the computation. computation. But the real threat may be likely to be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords. NIST SP 800-63 (2) provides further discussion of password password quality, quality, and suggests, suggests, for example, example, that an 8 character character user-chosen user-chosen password password may provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen. Note: This number is very far less than what is generally considered to be safe for an encryption key. How small is too small thus depends partly on an attacker's ingenuity and resources (e.g., available time, computing power, etc.), the latter of which will increase as computers get faster. Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a separa separate te portio portion n of the search search space. space. Unused overnight overnight and weekend weekend time on offic officee computers can also be used for this purpose. The distinction between guessing, dictionary and brute force attacks is not strict. They are similar in that an attacker goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, may or may not incorporate knowledge about the victim, and may or may not be linguistically derived. Each of the three approaches, particularly 'dictionary attack', is frequently used as an umbrella term to denote all the three attacks and the spectrum of attacks encompassed by them.
38
Precomputation In its most basic form, precomputation involves hashing each word in the dictionary (or any search space of candidate passwords) and storing the
pairs in a way that enables lookup on the ciphertext field. This way, when a new encrypted password is obtain obtained, ed, passw password ord recove recovery ry is instan instantane taneous ous.. Precomp Precomputa utatio tion n can be very very useful useful for a dictionary attack if salt is not used properly (see below), and the dramatic decrease in the cost of mass storage has made it practical for fairly large dictionaries. Advanced precomputation methods exist that are even more effective. By applying a timememory tradeoff, a middle ground can be reached - a search space of size N can be turned into an encrypted database of size O(N2/3) in which searching for an encrypted password takes time O(N2/3). The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanu alphanumer meric ic MD5 hashes hashes.. Another Another example example [1] cracks cracks alphanu alphanumer meric ic Windows indows LAN Manager passwords in a few seconds. This is much faster than brute force attacks on the obsolete LAN Manager, which uses a particularly weak method of hashing the password. Current Windows systems still compute and store a LAN Manager hash by default for backwards compatibility compa tibility.. [2]) A technique similar to precomputation, known generically as memoization, can be used to crack multiple passwords at the cost of cracking just one. Since encrypting a word takes much longer than comparing it with a stored word, a lot of effort is saved by encrypting each word only once and comparing it with each of the encrypted passwords using an efficient list search algorithm. The two approaches may of course be combined: the timespace tradeoff attack can be modified to crack multiple passwords simultaneously in a shorter time than cracking them one after the other.
Salting The benefits of precomputation and memoization can be nullified by randomizing the hashing process. This is known as salting. When the user sets a password, a short, random string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is usually different for each user, the attacker can no longer construct tables with a single encrypted version of each candidate password. Early Unix systems used a 12-bit salt. Attackers could still build tables with common passwords encrypted with all 4096 possible 12-bit salts. 39
However, if the salt is long enough (e.g. 32 bits), there are too many possibilities and the attacker must repeat the encryption of every guess for e ach user.
Early Unix password vulnerability Early Unix implementations used a 12-bit salt, which allowed for 4096 possibilities, and limited passwords to 8 characters. While 12 bits was good enough for most purposes in the 1970s (although some expressed doubts even then), by 2005 disk storage has become cheap enough that an attacker can precompute encryptions of millions of common passwords, including all 4096 possible salt variations for each password, and store the precomputed values on a single portable hard drive. An attacker with a larger budget can build a disk farm with all 6 character passwords and the most common 7 and 8 character passwords stored in encrypted encrypted form, for all 4096 possible possible salts. And when several thousand passwords passwords are being cracked at once, memoization still offers some benefit. Since there is little downside to using a longer (say 32-, 64- or 128-bit) salt, and they render any precomputation or memoization hopeless, modern implementations choose to do so.
Prevention The best method of preventing password cracking is to ensure that attackers cannot get access even to the encrypted password. For example, on the Unix operating system, encrypted passwords were originally stored in a publicly accessible file "/etc/passwd". On mode modern rn Unix Unix (and (and simi simila lar) r) syst system ems, s, on the the othe otherr hand hand,, they they are are stor stored ed in the the file file "/etc/shadow", which is accessible only to programs running with enhanced privileges (ie, 'syst 'system' em' privil privilege eges). s). This makes makes it harder harder for a malici malicious ous user user to obtain obtain the encryp encrypted ted passwords in the first instance. Unfortunately, many common network protocols transmit the hashed passwords to allow remote authentication. Even if the attacker has no access to the password database itself, every attacker should also be prevented from being able to use the system itself to check a large number of passwords in a relatively small amount of time. For this reason, many systems include a significant forced delay (a few seconds is generally sufficient) between the entry of the password and returning a result. Also, it is a good policy to (temporarily) lock out an account that has been subjected to 'too many' incorrect password guesses, although this could be exploited to launch a denial of service attack. Too many in this context is frequently taken to be something like more than 3 failed attempts in 90 seconds, or more than a dozen failed attempts in an hour ho ur.. 40
It is also imperative to choose good passwords (see password for more information) and a good encryption or hash algorithm that has stood the test of time. AES, SHA-1, and MD5 are common choices. Good implementations, including adequate salt, are also required. Key derivation functions, such as PBKDF2, are hashes that consume relatively large amounts of computer time so as to slow down the rate at which an attacker can test guesses, even if the hashed password is available. This process is known as ke y strengthening. However, no amount of effort put into preventing password cracking can be sufficient without a well-designed and well-implemented security policy. The canonical and all too common example of this is the user who leaves their password on a Post-It note stuck to their monitor or under their keyboard. Even sophisticated users who have been warned repeatedly are known to have such lapses. Password cracking programs • Ophcrack - Open source Ophcrack is an Open Source (GPL License) program that cracks Windows LM hashes using rainbow tables. It can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. There is also a LiveCD version which auto automa mate tess the the retr retrie ieva val, l, decr decry yptio ption, n, and and crac cracki king ng of pass passwo word rdss from from a Windo indows ws system.Starting with version 2.3, Ophcrack also cracks NT hashes. • Crack Crack is a Unix password cracking program designed to allow system administrators to locate users who may have weak passwords vulnerable to a dictionary attack. Crack began in 1990 when Alec Muffett, a Unix system administrator at the University of Wales Aberystwyth was trying to improve Dan Farmer's 'pwc' cracker in COPS and found that by re-engineering its memory management he got a noticeable performance increase. This led to a total rewrite which became "Crack v2.0" and further development to improve usability. • Cain Cain and Abel is a Windows password recovery tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods methods such as dictionary dictionary attacks, brute force and cryptanalys cryptanalysis is attacks. attacks. Cryptanaly Cryptanalysis sis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain. Cain and Abel is maintained by Massimiliano Montoro. • John the Ripper
41
John the Ripper is a free password password cracking cracking software software tool. Initially Initially developed for the UNIX operati operating ng system system,, it curren currently tly runs on fiftee fifteen n differ different ent platfo platforms rms (11 flavor flavorss of Unix Unix counting each flavor only once for all the architectures it supports -, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others. John the Ripper is a perfectly safe program to install and run on your computer. If you are running a multi-user system, you should make sure you are shadowing your password file such that the hashes are not visible; however even if you are not, not installing John will not prevent a malicious user from running John on their own computer with your hashes[citation needed]. • LC5 (formerly L0phtCrack) L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. It was one of the crackers' tools of choice, although most use old versions because of its price p rice and low availability. availability. The application was produced by b y @stake after the L0pht merged with @stake in 2000. @stake was acquired by Symantec in 2004. Symantec has since stopped selling this tool to new customers citing US Government export regulations, and has announced that they will discontinue support by the end of 2006. LC5 can still be found at SecTools.Org and other unofficial mirrors. • RainbowCrack Rainbo RainbowCr wCrack ack is the name of a comput computer er program program which perfor performs ms passwo password rd cracki cracking. ng. RainbowCrack differs from "conventional" brute force crackers in that it uses large precomputed files called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.
Back 42
43
44
Sniffers: Basics and Detection “If you know the enemy and know k now yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy ene my,, for every victory gained you will also suffer a defeat. If you know neither the enemy enem y nor yourself, you will succumb in every battle.”
Introduction A sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technology wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer! Many people assume computers connected to a switch are safe from sniffing. Nothing could be further from the truth. Computers connected to switches are just as vulnerable to sniffing as those connected con nected to a hub. This article seeks to explore the topic of sniffers, how they work, detecting and protecting your assets against the malicious use of these programs. Finally, towards the end we will talk about some commonly available sniffers.
How A Sniffer Works A computer connected to the LAN has two addresses. One is the MAC (Media Access Control) address that uniquely identifies each node in a network and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building “frames” to transfer data to and from a machine. The other is the IP address, which is used by applications. The Data Link Layer uses an Ethernet header with the MAC address of the destin destinati ation on machin machinee rather rather than than the IP Address Address.. The Networ Network k Layer Layer is respon responsib sible le for mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks up the MAC address of the destination machine in a table, usually called the ARP (Address Resolution Protocol) cache. If no entry is found for the IP address, the Address Resolu Resolutio tion n Protoco Protocoll broadca broadcasts sts a reques requestt packet packet (ARP (ARP reques request) t) to all machin machines es on the network. The machine with that address responds to the source machine with its MAC 45
address. This MAC address then gets added to the source machine’s ARP Cache. The source machine in all its communications with the destination machine then uses this MAC address. There are two basic types of Ethernet environments and how sniffers work in both these cases is slightly different.Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus when a machine Venus Venus
46
Well-known packet sniffers •
AiroPeek
•
dSniff
•
Ethereal
•
EtherPeek
•
Ettercap
•
Kismet
•
Javvin Packet Aalyzer
•
NetStumbler
•
Network General Sniffer
•
Network Instruments Observer
•
OmniPeek
•
PRTG
•
snoop (Solaris)
•
tcpdump
•
Wireshark ark (f (formerly known as Ether hereal[1])
•
WPE (Winsock pa packet editor)
Spoofing attack In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gains an illegitimate advantage.
Man-in-the-middle attack and internet protocol spoofing An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs spoofs Alice into believing he's Bob, and spoofs Bob into believing believing he's Alice, Alice, thus gaining gaining access to all messages in both directions without the trouble of any cryptanalytic effort.
47
The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address. Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. See Internet protocol spoofing.
URL spoofing and phishing Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords.This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their passw password ord,, the attack attack-co -code de report reportss a passwo password rd error error,, then then redire redirects cts the user user back to the legitimate site.
Referer spoofing Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the Referer header of the HTTP request. This referer header however can be changed (known as "Referer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials. Poisoning of file-sharing networks "Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of works on file-sharing networks, to discourage downloading from these sources.
Caller ID spoofing In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. 48
Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.
Man-in-the-middle attack and internet protocol spoofing An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs spoofs Alice into believing he's Bob, and spoofs Bob into believing believing he's Alice, Alice, thus gaining gaining access to all messages in both directions without the trouble of any cryptanalytic effort. The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address. Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. See Internet protocol spoofing.
URL spoofing and phishing Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords. This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning poisoning in order to direct the user away from the legitimate legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate site.
49
Referer spoofing Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the Referer header of the HTTP request. This referer header however can be changed (known as "Referer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials.
Poisoning of file-sharing networks "Spoofi "Spoofing" ng" can also also refer refer to copyrig copyright ht holder holderss placin placing g distor distorted ted or unlist unlistena enable ble versions of works on file-sharing networks, to discourage downloading from these sources.
Caller ID spoofing In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.
Trojan horse Example of a simple Trojan horse A simple example of a trojan horse would be a program named "waterfalls.scr" claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the victim’s computer. Types of Trojan horses Troja Trojan n horses horses are almost almost always always design designed ed to do variou variouss harmfu harmfull things things,, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: •
Remote Access Trojans
•
Data Sending Trojans 50
•
Destructive Trojans
•
Proxy Trojans
•
FTP Trojans
•
security software disabler Trojans
•
den denialal-of-service attack (DoS) Trojans
•
URL Trojans
Some examples are: •
era erasing or ove overwriting data ata on a com computer.
•
encr encry yptin pting g fi files les in in a cry cryptovir oviral al ext extort ortion ion at attack tack..
•
corrupting files in a subtle way.
•
upload and download files.
•
allowing allowing remote remote access access to the victim' victim'ss computer computer.. This This is called called a RAT RAT. (remote (remote administration tool)
•
spreading spreading other other malware malware,, such as viruses viruses.. In this this case case the the Troja Trojan n horse is called called a 'dropper' or 'vector'.
•
settin setting g up networ networks ks of zombi zombiee compute computers rs in order order to to launch launch DDoS DDoS attack attackss or send spam.
•
spyi spying ng on the the user user of a comp comput uter er and cover covertl tly y report reportin ing g data like like brow browsi sing ng habits to other people (see the article on spyware).
• •
make screenshots. loggi logging ng keystr keystroke okess to steal steal infor informa mati tion on such as pass passwo word rdss and credi creditt card card numbers (also known as a keylogger).
•
phis phish h for for bank bank or othe otherr acco accoun untt deta detail ils, s, which which can be used used for crim crimin inal al activities.
•
installing a backd ckdoor on a comp omputer sys system. em.
•
opening and closing CD-ROM tray.
•
har harvest est ee-mail ad addresses an and us use th them for sp spam. am.
•
Rest Restar arts ts the the com compu pute terr when whenev ever er the the inf infec ecte ted d pro progr gram am is star starte ted. d.
Time bombs and logic bombs "Time bombs" and "logic bombs" are types of trojan horses. "Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer. computer.
51
Droppers Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.
Precautions against Trojan horses Trojan horses can be protected against through end-user awareness. Trojan Horse viruses can cause a great deal of damage to a personal computer but even more damage to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus is hidden, it is harder to protect yourself or your company from it, but there are things that you can do. Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows: 1. If you receive e-mail from someone that you do not know or you receive an unknown
attachment, never open it right away. As an e-mail user you should confirm the source. Some hackers have the ability to steal address books, so if you see e-mail from someone you know, it is not necessarily safe. When sett settin ing g up your your e-ma e-mail il clie client nt,, make make sure sure that that you you have have the the sett settin ings gs so that that 2. When attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this, it would be best to purchase one or download one for free. 3. Make sure your computer has an anti-virus program on it and update it regularly. If you
have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats 4. Operating systems offer patches to protect their users from certain threats and viruses,
including Trojan Horses. Software developers like Microsoft offer patches that in a sense "close the hole" that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches, your computer is kept much safer. 5. Avoid using peer-to-peer or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella
because they are generally unprotected from viruses and Trojan Horse viruses spread through them especially easily. Some of these programs do offer some virus protection, but this is
52
often not strong enough. If you insist on using P2P, it would be safe to not download files that claim to be "rare" songs, books, movies, mov ies, pictures, etc. Besides Besides these sensible sensible precautions, precautions, one can also install anti-trojan anti-trojan software, some of which is offered free.
Methods of Infection The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised to not open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually. Websites: You You can be infected by visiting a rogue website. Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. directly. Open Open ports: ports: Compute Computers rs runnin running g their their own server serverss (HTTP (HTTP,, FTP, FTP, or SMTP SMTP, for example example), ), allowi allowing ng Windows indows file file sharin sharing, g, or runnin running g progra programs ms that that provid providee filesh fileshari aring ng capabil capabiliti ities es such such as Instan Instantt Messen Messenger gerss (AOL's (AOL's AIM, MSN Messen Messenger ger,, etc.) etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabi Vulnerabilitie litiess allowing allowing unauthorized unauthorized remote entry are regularly regularly found in such programs, so they should be avoided or properly secured. A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either. Some of the modern trojans that come through the messengers,they come in as a very important looking message, but contain trojans, the exe files are same or look same as that of windows system proccesses like 'Svchost.exe', some of the look alike trojans are: •
Svchost32.exe
•
Svhost.exe
•
back.exe 53
Well-known trojan horses •
Back Orifice
•
Back Orifice 2000
•
NetBus
•
SubSeven
•
Downloader-EV
•
Pest Trap
•
AIDS
•
Back Orifice
•
Back Orifice 2000
•
Beast Trojan
•
Bifrose
•
Insurrection
•
NetBus
•
Optix Pro
•
Posion Ivy
•
ProRat
•
S ub 7
•
EGABTR
•
RemoteHAK
•
A-311 Death
•
A4zeta
•
Abacab
•
Acessor
•
AcidBattery
•
Acid Drop
•
AcidHead
•
Acid Kor
•
Acidsena
•
AcidShivers
•
Acid Trojan Horse
•
AckCmd
•
Acojonaor
ksv
Carl-Fredrik Neikter
54
•
Acropolis
•
Admin.Troj.Kikzyurarse
•
Advertiser Bot
•
AeonwindDoll
•
Afcore
•
A-FTP
•
AF
•
Agent 40421
•
AH
•
Aibolit
•
AIMaster
•
AIM Filter
•
AimFrame
•
aim P
•
Aim Password Stealer
•
AIM Pws
•
AimRat
•
AIM Robber
•
AIM Spy
•
AIMVision
•
AIR
•
AirBot
•
Akosch
•
Aladino
•
Al-Bareki
•
Alcatraz
•
Alerter
•
AlexMessoMalex
•
Alicia
•
Alien Hacker
•
Alien Spy
•
Almaster
•
Almetyevsk
•
Almq 55
•
Alex
•
Alofin
•
Alop
•
Alph
•
AlphaDog
•
Alvgus
•
Amanda
•
Amiboide Uploader
•
Ambush
•
AmigaAnywhere
•
Amitis
•
Amoeba
•
AMRC
•
AMS
•
Anal FTP
•
Anal Ra
•
AnarchoIntruder
•
Andromeda
•
A New Trojan
•
Angelfire
•
AngelShell
•
Annoy Toys
•
Anthena
•
Anti Danger
•
Anti-Denial
•
AntiMks
•
AntiPC
•
AntiLamer Backdoor
•
Anti MSN
•
Antylamus
•
AolAdmin
•
Apdoor
•
Aphex's FTP
•
Aphex's Remote Packet Sniffer 56
•
Aphex tunneld 2.0
•
AppServ
•
APRE
•
Aqua
•
Arcanum
•
Area Control
•
Ares Invader
•
Armageddon
•
arplhmd
•
Arranca
•
Arsd
•
Artic
•
Arturik
•
AsbMay
•
A.S.H.
•
Ashley
•
Ass4ss1n
•
Assasin
•
Asylum
•
Admin.Troj.Kikzyurarse
•
Atentator
•
A-Trojan
•
Attack FTP
•
Atwinda
•
AudioDoor
•
Autocrat
•
AutoPWN
•
Autograph
•
AutoSpY
•
Avanzado
•
Avone
•
Ayan Bilisim
•
Azrael
•
BD Blade runner 0.80a 57
•
Crazy Daisy
•
Connect4
•
Donald Dick
•
Flatley Trojan
•
Theef
•
Twelve Tricks
Rituall33
Back
58
59
Introduction to Cyber Crime The first recorded cyber crime took place in the year 1820! 1820! That That is not surpri surprisi sing ng conside considerin ring g the fact fact that that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. Thee era Th era of mode modern rn compu compute ters rs,, howe however ver,, began began with with the the analytical engine of Charles Babbage. In 1820, Joseph-Marie Jacquard, a textile manufacturer in Fran France ce,, produ produce ced d the the loom loom.. Th This is devic devicee allo allowe wed d the the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from from furt furthe herr use use of the the new new tech techno nolo logy gy.. Th This is is the the firs firstt reco record rded ed cybe cyberr crim crime! e!
Today computers have come a long way, with neural networks and nano-computing promising to turn every atom in a glass of water into a computer capable of performing a Billion operations per second. Cyber crime is an evil having its origin in the growing dependence on computers in modern life. In a day and age when everything from microwave ovens and refrigerators to nuclear power plants is being run on computers, cyber crime has assumed rather sinister implications. Major cyber crimes in the recent past include the Citibank rip off. US $ 10 million were fraudulently transferred out of the bank and into a bank account in Switzerland. A Russian hacker group led by Vladimir Kevin, a renowned hacker, perpetrated the attack. The group compromised the bank's security systems. Vladimir was allegedly using his office computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into Citibank computers. He was finally arrested on Heathrow airport on his wa y to Switzerland
60
Defining Cyber Crime At the onset, onset, let us satisf satisfact actori orily ly define define "cyber "cyber crime" crime" and differ different entiat iatee it from from "conventional Crime". 166 Computer crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian Penal Code. The abuse of computers has also given birth to a gamut of new age crimes that are addressed by the Information Technology Act, 2000. Defining cyber crimes, as "acts that are punishable by the Information Technology Act" would be unsuitable as the Indian Penal Code also covers many cyber crimes, such as email spoofing and cyber defamation, sending threatening emails etc. A simple yet sturdy definition of cyber crime would be "unlawful acts wherein the computer is either a tool or a target or both". Let us examine the acts wherein the computer is a tool for an unlawful act. This kind of activity usually involves a modification of a conventional crime b y using computers. Some examples are:
Financial crimes This would include cheating, credit card frauds, money laundering etc. To cite a recent case, a website offered to sell Alphonso mangoes at a throwaway price. Distrusting such a transaction, very few people responded to or supplied the website with their credit card number numbers. s. These These people people were were actual actually ly sent sent the Alphons Alphonso o mangoes mangoes.. The word word about about this this website now spread like wildfire. Thousands of people from all over the country responded and ordered mangoes by providing their credit card numbers. The owners of what was later proven to be a bogus website then fled taking the numerous credit card numbers and proceeded to spend huge amounts of money much to the chagrin of the card owners.
Cyber pornography
61
This would include pornographic websites; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc). Recent Indian incidents revolving around cyber pornography include the Air Force Balbharati School case. A student of the Air Force Balbharati School, Delhi, was teased by all his classmates for having a pockmarked face. Tired of the cruel jokes, he decided to get back at his tormentors. He scanned photographs of his classmates and teachers, morphed them with nude photographs and put them up on a website that he uploaded on to a free web hosting service. It was only after the father of one of the class girls featured on the website objected and lodged a complaint with the police that any action was taken. In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear for obscene photographs. They would then upload these photographs to websites specially designed for paedophiles. The Mumbai police arrested the couple for pornography.
Sale of illegal articles This This would would inclu include de sale sale of narc narcoti otics, cs, weapon weaponss and and wildli wildlife fe etc., etc., by posti posting ng information on websites, auction websites, and bulletin boards or 167 simply by using email communication. E.g. many of the auction sites even in India are believed to be selling cocaine in the name of 'honey'.
Online gambling gambling There There are millions millions of websit websites; es; all hosted hosted on server serverss abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering.
62
63
Intellectual Intellectual Property crimes crimes These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc .
Email spoofing A spoofed email is one that appears to originate from one source but actually has been sent from another source. E.g. Pooja has an e-mail address [email protected]. Her enemy, Sameer spoofs spoofs her e-mail and sends obscene messages messages to all her acquaintances acquaintances.. Since the emails appear to have originated originated from Pooja, her friends friends could take offence and relationships relationships could be spoiled for life. Email spoofing can also cause monetary damage. In an American case, case, a teenage teenagerr made millio millions ns of dollar dollarss by spreadi spreading ng false false inform informati ation on about about certai certain n companies whose shares he had short sold. This misinformation was spread by sending spoofed emails, purportedly from news agencies like Reuters, to share brokers and investors who were informed that the companies were doing very badly. Even after the truth came out the values of the shares did not go back to the earlier levels and thousands of investors lost a lot of money.
Forgery Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers and scanners. Outside many colleges across India, one finds touts soliciting the sale of fake mark sheets or even certificates. These are made using computers, and high quality scanners and printers. In fact, this has becoming a booming business involving thousands of Rupees being given to student gangs in exchange for these bogus but authentic looking certificates.
Cyber Defamation
64
This occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a website or sends emails
containing
defamatory
information
to
all
of
that
person's
friends.
In a recent occurrence, Surekha (names of people have been changed), a young girl was about to be married to Suraj. She was really pleased because despite it being an arranged marriage, she had liked the boy. He had seemed to be open-minded and pleasant. Then, one day when she met Suraj, he looked worried and even a little upset. He was not really interested in talking to her. When asked he told her that, members of his family had been receiving e-mails that contained malicious things about Surekha's character. Some of them spoke of affairs, which she had had in the past. He told her 168 16 8 that, his parents were justifiably very upset and were also considering breaking off the engagement. Fortunately, Suraj was able to prevail upon his parents and the other elders of his house to approach the police instead of blindly believing what was contained in the mails.During investigation, it was revealed that the person sending those e-mails was none other than Surekha's stepfather. He had sent these emails so as to break up the marriage. The girl's marriage would have caused him to lose control of her property of which he was the guardian till she got married. Another famous case of cyber defamation occurred in America. All friends and relatives of a lady were beset with obscene e-mail messages appearing to originate from her account. These mails were giving the lady in question a bad name among her friends. The lady was an activist against pornography pornography.. In reality, reality, a group of people displeased displeased with her views and angry with her for opposing them had decided to get back at her by using such underhanded methods. In additio addition n to sendin sending g spoofe spoofed d obscen obscenee e-mail e-mailss they also put up websit websites es about about her, her, that that basically maligned her character and sent e-mails to her family and friends containing matter defaming her.
Cyber stalking The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking nvolves following a person's movements across the Internet by posting messages (sometimes threat threateni ening) ng) on the bullet bulletin in boards boards freque frequented nted by the victim, victim, enteri entering ng the chat-ro chat-rooms oms frequented by the victim, constantly bombarding the victim with emails etc.
65
Back
66
67
Index •
•
•
•
IP Address Default Router Password Net BIOS Mobile Hacking
Back
68
Special attraction Government, military and intelligence IP range. RANGE 6 6.* - Army Information Systems Center RANGE 7 7.*.*.* Defense Information Systems Agency, VA RANGE 11 11.*.*.* DoD Intel Information Systems, Defense Intelligence Agency, Washington Washington DC RANGE 21 21. - US Defense Information Systems Agency RANGE 22 22.* - Defense Information Systems Agency RANGE 24 24.198.*.* RANGE 25 25.*.*.* Royal Signals and Radar Rada r Establishment, UK RANGE 26 26.* - Defense Information Systems Agency RANGE 29 29.* - Defense Information Systems Agency RANGE 30 30.* - Defense Information Systems Agency
69
RANGE 49 49.* - Joint Tactical Tactical Command RANGE 50 50.* - Joint Tactical Tactical Command RANGE 55 55.* - Army National Guard Bureau
RANGE 128 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Wallops Flight Facility 128.155.0.0 NASA Langley Research Center 128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Research Center 128.183.0.0 NASA Goddard Space Flight Center 128.190.0.0 Army Belvoir Reasearch and Development Center 128.202.0.0 50th Space Wing 128.216.0.0 MacDill Air Force Base 128.236.0.0 U.S. Air Force Academy RANGE 129 129.23.0.0
Strategic Defense Initiative Organization 70
129.29.0.0
United States Military Academy
129.50.0.0
NASA Marshall Space Flight Center
129.51.0.0
Patrick Air Force Base
129.52.0.0
Wright-Patterson Wright-Patterson Air Force Base
129.165.0.0
NASA Goddard Space Flight Center
129.166.0.0
NASA - John F. Kennedy Space Center
129.167.0.0
NASA Marshall Space Flight Center
129.168.0.0
NASA Lewis Research Center
129.190.0.0
Naval Underwater Systems Center
129.198.0.0
Air Force Flight Test Center
129.209.0.0
Army Ballistics Research Laboratory
129.229.0.0
U.S. Army Corps of Engineers
129.251.0.0
United States Air Force Academy
RANGE 130 130.40.0.0
NASA Johnson Space Center
130.90.0.0
Mather Air Force Base
130.109.0.0
Naval Coastal Systems Center
130.114.0.0
Army Aberdeen Proving Ground Installation Support Activity
130.124.0.0
Honeywell Defense Systems Group
130.165.0.0
U.S.Army Corps of Engineers
130.167.0.0
NASA Headquarters
RANGE 131 131.6.0.0
Langley Air Force Base
131.10.0.0
Barksdale Air Force Base
131.17.0.0
Sheppard Air Force Base
131.21.0.0
Hahn Air Base
131.22.0.0
Keesler Air Force Base
131.24.0.0
6 Communications Squadron
131.25.0.0
Patrick Air Force Base
131.32.0.0
37 Communications Squadron
131.35.0.0
Fairchild Air Force Base 71
131.36.0.0
Yokota Air Base
131.37.0.0
Elmendorf Air Force Base
131.38.0.0
Hickam Air Force Base
131.39.0.0
354CS/SCSN
131.40.0.0
Bergstrom Air Force Base
131.44.0.0
Randolph Air Force Base
131.46.0.0
20 Communications Squadron
131.47.0.0
Andersen Air Force Base
131.50.0.0
Davis-Monthan Air Force Base
131.52.0.0
56 Communications Squadron /SCBB
131.54.0.0
Air Force Concentrator Network
131.56.0.0
Upper Heyford Air Force Base
131.58.0.0
Alconbury Royal Air Force Base
131.59.0.0
7 Communications Squadron
131.61.0.0
McConnell Air Force Base
131.62.0.0
Norton Air Force Base
131.74.0.0
Defense MegaCenter Columbus
131.84.0.0
Defense Technical Information Center
131.92.0.0
Army Information Systems Command - Aberdeen (EA)
131.105.0.0
McClellan Air Force Base
131.110.0.0
NASA/Michoud Assembly Facility
131.120.0.0
Naval Postgraduate School
131.121.0.0
United States Naval Academy
131.122.0.0
United States Naval Academy
131.176.0.0
European Space Operations Center
131.182.0.0
NASA Headquarters
131.250.0.0
Office of the Chief of Naval Research
RANGE 132 132.3.0.0
Williams Williams Air Force Base
132.6.0.0
Ankara Air Station
132.9.0.0
28th Bomb Wing
132.10.0.0
319 Comm Sq
132.11.0.0
Hellenikon Air Base 72
