h3%5kr3w Posted April 18, 2009 Share Posted April 18, 2009 OK. so after the stuidity that is "h3y h0w d0 1 run @ d055 @77@ck" thread, I was wondering, after you found out how to dos a network or computer, did you do it on your own network and if so what was the end results? I did this on my home network (to my wife's computer hehehhe, and to my linksys router.) Here's the funny thing. I was doing an extended ping out the network on both machines at the same time that I was doing the dos from my desktop computer just to see what the performance issue one computer would be. ***Mind you I did this twice. The first time this was @ a closed network state to ensure there was no accidental outbound traffic on the wan (hence would not be making my ISP happy..), and the second time with an open network state so that I could see how internet inbound performance was hit.**** Here's what happened: Wife's dell (XPS 200 Intel Pentium D @ 2.8ghz stock, built in 10/100 ethernet card.): Severe slowdown, processor heat jumped through the roof, and the fan whirling ensued greatly... Windows XP itself rolled down to a halt, much less being able to browse (ie would not open) Linksys Router WRT54g V.6: No over clocking - Small degredation of routing/switching performance @ best. Did a damn fine job of dealing with it in my book compaired to my wife's computer.. *also I was/am running DD-WRT on it instead of stock firmware* no special settings in the router. My desktop: AMD Athlon X2 5600+ running @ 2.8ghz 2mb gskill mem - Internet slowed down for my compy. The proc heated about 7 degrees f. but windows was running fine. (btw, I was/am using Windows Vista of all damnnation.. Ending note: slower computers/servers can be hit damn hard by a single computer with a decent connection doing a dos attack. Linksys router = good. Newer or more powerful computers =yah.. you would know... So what have your results been in this type of thing? Mind you since of course I dont have myself a frame relay router w/outbound DSL connection, telco sim. software, etc. I cant test the inbound wan part of my router (modem is in bridged mode so linksys takes care of everything else) and it was all on 100mbps ethernet but it seems a single computer trying to do a dos doesnt do so well (hence I know... ddos) but it is interesting in the behavior different pieces of equipment has that comes from a dos. hmm.. dos the Wii, wireless printer, or DS next? lol Quote Link to comment Share on other sites More sharing options...
shonen Posted April 18, 2009 Share Posted April 18, 2009 I am assuming you used net tools for this? Great post by the way, I have done some brief reading on what little I can find about DoS and the shit is really interesting from a networking prospective. If any of you have some informative reading material or tutorials I would most appreciate some linkage. I hear SYN attacks work rather well, but so far my understanding of it is rather limited other than how it exploits some of the fundamentals of the TCP/IP 3 way hand shake. I may have to do some googlieng and try and find a tool to attack my LAB setup. DoS 1 take 1: We were running a simulated environment in my networking class. x2 cisco 2500 routers and I think it was x2 3600 series switches. 1 Win2k server with IIS enabled/demo web page running in a VM, 1 winxp client and my laptop. The object was to block my laptop via an extended access list in the 2500 router. I figured fuck this I aint getting blocked without a solid reason so I fired up nettools prior to the ACL being applied and UDP and HTTP flood the win2k server first off for some lulz. The guys on the server took a massive performance hit and at first couldn't work out what was going on until I mentioned to run a netstat. lol it took a great deal of time for cmd to open let alone for it to list the number of connections established. We didn't check it as in depth las your above posting due to the painful amount of lag on the server. I then took aim at one of the 2500 routers which handled the flood with ease and didn't cause any issues what so ever. Dos 2 take 2 Thanks to the enthusiasm displayed from my class mates from the successful attack on the server mentioned above our teacher was kind enough to demo a different type of network attack. We used the same setup as mentioned in the above but instead of 2 clients we fired up a total of 40 xp clients (every computer in the room). Basically he used telnet to connect to the 2500 router and pinged the broadcast address over and over. The result was all machines on the network replying to that ping which as you could imagine generated a fuck load of traffic and brought speeds to a crawl. Connections to our demo web page kept on timing out etc (cant remember the full results due to it happening early last semester). DoS 3 take 3: I mentioned a couple of days ago that I was messing with my class mates speedstream modem/router in here. One of the things I did was flood the bugger with some of the stuff available in nettools. Oddly enough my single computer + my shitty upload speeds doing a UDP flood was enough for him to notice a substantial speed reduction. Even more stranger was after 5 minutes of this attack he dropped off line. Shortly after I got a phone call were he told me he couldn't even log into the web based gui for configuration even though I stopped the flood after he dropped off msn. Apparently he had to re-flash the frimware to get it all to work again. I fail see how a UDP flood fucks firmware and am at a loss to even explain it.... maybe his shit just glitched up. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted April 18, 2009 Author Share Posted April 18, 2009 gotta roll to work real quick. yah i used nettools for it. ill post some stuff l8r Quote Link to comment Share on other sites More sharing options...
pritchard9 Posted April 18, 2009 Share Posted April 18, 2009 Dont know if this really counts, but I tried to brute-force my router once, for a laugh. After a while my wireless reception started dying, and eventually conked, and was refusing access to its GUI. Went into my main computer room, looked at the BTHub and it looked fine, sept nothing could connect to the internet. I took about 10 resets, and leaving it be for about half an hour until it started working again. Im a bit of a noob, so I was bloody bricking it. After it was up and running again, it failed on me another 3 times, but has been running fine since. Quote Link to comment Share on other sites More sharing options...
shonen Posted April 18, 2009 Share Posted April 18, 2009 Interesting so its not just DoS attacks that mess with some modem/routers and cause them to seize up. I may have to give your brute forcing suggestion a whirl on my own gear just as soon as I can be bothered. I figured you used net tools hex, its a nice lil package, I am assuming you ran the UDP flood against your gear? by the way what size packets were you sending out? Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted April 18, 2009 Author Share Posted April 18, 2009 It is strange that things like that happen, but I wonder if maybe it is an underlying overheating or under cooling issue that generally would not be an issue at a standard processing rate. I'm not sure at all how the UDP flood works, unless it is the udp with limited error correction, so it chokes it when it's trying to send back the udp ecc bit or something. I believe alot of it may have to do with just the raw power of your hardware and how many other things are going on on it at the same time. Mind you of course most routers and switches are hardware based, where with computers, it has to go through the OSI up and down, and is software based. So maybe this is why it is such an issue with desktops as opposed to a router. I am curious though how something very low powered and highly software ran such as the wii or ds would run if in fact it was hit. ALSO! strangely enough, my printer is running a web interface?! (it was no-where in the book for it and I just never thought to look and see if there was an interface for it).. here's my question: could there be a vulnerability in a wireless printer, and if so could it be exploited to gain wifi access to a network? just a thought. As far as the details go I'll be honest I cant remember, it has been a good while since I did this but I'll gather what I can Quote Link to comment Share on other sites More sharing options...
shonen Posted April 18, 2009 Share Posted April 18, 2009 Now that you mention it you are more than likely right about the glitching being a hardware related issue over something so trival such as over heating or power. Usually the simplist explenations are the correct ones. WTF? printers have web gui's? That certainly the first I have heard of it. Yeap its been that long since I purchased a printer. I guess it makes sense if you have a wireless based one seeing as you would need to insert a network key for it somewhere. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted April 18, 2009 Author Share Posted April 18, 2009 Usually the simplist explenations are the correct ones. Only when you don't think it's the simplest explanation....(my luck anyway) Well, yah, my printer does have a web gui, and it's administrative too! Pretty extensable actually. I need to check into it. Maybe I can wget everything off of it and see how it works. (lol Linux logging printer :P) Quote Link to comment Share on other sites More sharing options...
shonen Posted April 19, 2009 Share Posted April 19, 2009 thats pretty cool, what shit does it allow you to configure through the gui? screens dump perhaps? Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted April 19, 2009 Share Posted April 19, 2009 I had to troubleshoot a router for a client one time. They complained that it locked up or died a couple times a day. After some debug captures, it turns out they were a victim of a syn attack/flood. This was a medical insurance company, so the uptime was pretty critical. It was interesting to see this all in action, on a larger scale than my own house. My DOS'ing at home never goes very well, gigabit switch with 3 PCs. The switches and linksys router handle it all perfectly. Anyways, the resolution was that I told that company to get a real firewall instead of a NAT router. A cisco ASA router is immune to SYN attacks due to the adaptive sec algorithm, it doesn't hold open the TCP connection and respond to every possible SYN packet. A typical cisco router does. You can't ACL that off because a SYN is part of a legitimate transaction and needs to stay open. Not much you can do to mitigate that kind of attack. *end of the story is they bought the lowest router capable (and supported by cisco) of doing what they needed, 2691. To my knowledge they still have it, and still have to remote in twice a day to reboot the router. That was over a year ago. No firewalls in the entire company, only NAT routers. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted April 20, 2009 Author Share Posted April 20, 2009 @decepticon_eazy... so they still have to reboot 2 times a day? what's up with that? Well it was rather crazy how extensible the interface is for this printer, seeing as it's not some super hot shot made for office printer (or maybe it kinda is but not that expensive) check the screenshots! FTW?! notice in the last picture, didnt notice it till now "enable ftp"??? wow.. i really gotta check out all the options on this thing (it does have a usb connection... could it have an ftp server built in to stream pictures?!) hmm.. did an ftp://ipaddress on it, and no shit, it's running an ftp server... wow. this is cool. i got to see how to crack into this thing now. ok, so so far the only thing I have been able to do to get into it is to use winSCP with the ftp option (which I know does no good @ this point) but with WinSCP you can pass commands. strangely enough it seems to take any user name and password to get into it. but it only shows 2 directories and one file. The two directories (as the program gives are / and /prt0 and it has the same file in both directories marked as -a hmm.. but it doesnt seem to be taking any standard linux commands, but at the same time, since im probably just talking to the ftp server itself anyway at this time, it's pointless... it refuses standard ssh and telnet connections as far as i can see. any suggestions? im thinking if i can tap into this thing and find out more stuff that it can do i think i got a good idea what i can present at phreaknic! Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted April 20, 2009 Share Posted April 20, 2009 @decepticon_eazy... so they still have to reboot 2 times a day? what's up with that? Their buffer on the outside fastethernet port fills up with SYN connections and becomes unusable, and stops taking connections. They remote in to a server outside the router and go through the serial connection to issue a reboot. Yup, their management doesn't see the need to allocate funds to IT for better equipment, so that's that. I wash my hands of the problem. I read an article a while back about jetdirect HP hacking in 2600. Very interesting stuff, they found most printers have an FTP directory for downloading and holding firmware. Then it pulls the new firmware off that directory during the reboot. Do a packet capture during a firmware update and see what it's doing, maybe you can hijack that and put some custom firmware on it. They also found that the OS had a java server running on it, which opened up more possibilities. Do a full (1-65535) TCP scan with Nmap and see if any other ports are open. Also, if you have a scanner on that printer, it probably can hold the images there for later download. The big high end ones do, they save the scans as raw images and can convert them to PDFs. I had an interesting weekend at a hotel looking through the office printer they had. They had scanned time cards, insurance forms, passports of the workers, etc. Also, checks for deposit. TONS of good stuff. I saved it all somewhere, never did anything with it (honest!!). I just wanted to show some friends when I got home. I think printers might become the new security hole... Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted April 20, 2009 Share Posted April 20, 2009 I think printers might become the new security hole... Double posty goodness! I got curious, so I scanned my own. This is a HP C6180 (fax, scanner, wireless, mem card reader) PORT STATE SERVICE VERSION 80/tcp open http HP PhotoSmart 8450 printer http config (Virata embedded httpd 6_0_1) 139/tcp open netbios-ssn? 6839/tcp open tcpwrapped 7435/tcp open tcpwrapped 9100/tcp open jetdirect? 9101/tcp open jetdirect? 9102/tcp open jetdirect? 9110/tcp open unknown 9220/tcp open unknown 9290/tcp open unknown 9500/tcp open unknown port 139 gives me the file share to the mem card, pretty nice way to get at it actually. The jetdirect is pretty straight forward, but I have no idea what the other stuff goes to! Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted April 20, 2009 Author Share Posted April 20, 2009 awesomesauce! my nmap looks alot like your's minus three of the jetdirect's and the tcpwrapped ports, and the netbios-ssn port. Wow, netbios?? hmm... Could it be booted with remote firmware?! This is very interesting.. maybe if I booted it with my usb key connected it would open the port for it. mine also has the mem card reader. I think were on to something awesome here. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted April 21, 2009 Author Share Posted April 21, 2009 **double post*** ok, so I do have one port that it nmap questions as a jetdirect port. Seemingly enough, the only info I could find for lexmark is this port is used to send raw doc's that up copy to the ftp server, it prints the docs and then deletes it off the ftp... Linux printing for lexmark anyone? (pffft. finally....) Ok, so Net tools simple fast port scanner found more ports?! 80 110 *pop 119 *Network News Transfer Protocol 143 *Internet Message Access Protocol 8000 9100 10000 nmap came up with 80, 8000,9100, and 10000, but the rest? hmmm... so 110 is for pop? this is rather odd. maybe something special in the software though. Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted April 22, 2009 Share Posted April 22, 2009 **double post*** ok, so I do have one port that it nmap questions as a jetdirect port. Seemingly enough, the only info I could find for lexmark is this port is used to send raw doc's that up copy to the ftp server, it prints the docs and then deletes it off the ftp... Linux printing for lexmark anyone? (pffft. finally....) Ok, so Net tools simple fast port scanner found more ports?! 80 110 *pop 119 *Network News Transfer Protocol 143 *Internet Message Access Protocol 8000 9100 10000 nmap came up with 80, 8000,9100, and 10000, but the rest? hmmm... so 110 is for pop? this is rather odd. maybe something special in the software though. I think it's time to put a sniffer on that and see if those ports get used, and where they go. Maybe it calls home? Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted April 22, 2009 Author Share Posted April 22, 2009 well... nothing much came up when I did a wireshark on it, while printing. Maybe if I let it go for awhile we'll see if it tries to poll home or something. Quote Link to comment Share on other sites More sharing options...
kickarse Posted April 29, 2009 Share Posted April 29, 2009 What are you guys running to do your scans? Quote Link to comment Share on other sites More sharing options...
shonen Posted April 30, 2009 Share Posted April 30, 2009 there can be only one! NMAP Quote Link to comment Share on other sites More sharing options...
kickarse Posted April 30, 2009 Share Posted April 30, 2009 there can be only one! NMAP lol Of course. I didn't know if you guys were using "corporate" pay for type apps/netappl. I had to buy a freakin' feed license for Nessus for Professional. No more freebies for corporate :( Have you guys tried mirroring a port on your switch and run Wireshark on prom.? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.