The Unofficial NT Hack FAQ

[ Return to TOC | Return to FAQ Page ]


Section 08

Denial of Service

08-1. What is "Denial of Service"?
08-2. What is the Ping of Death?
08-3. What is a SYN Flood attack?
08-4. What can telnet give me in the way of denial of service?
08-5. What can I do with Samba?
08-6. How do I lock out others from files?
08-7. What's with ROLLBACK.EXE?
08-8. What is an OOB attack?
08-9. Are there any other denial of service attacks?

08-1. What is "Denial of Service"?

Denial of Service (DOS) is simply rendering a service offered by a workstation or server unavailable to others. This is a controversial subject, since some people think that DOS is not a hack, or rather juvenile and petty. While I can't think of very many reasons why you might want to engage in DOS, I still will continue to include this type of material in Hack FAQs. What is more sad -- the fact that I include them, or the fact that there are so many of them?

Reasons that a hacker might want to resort to DOS might include the following:

Reasons that a Sys Admin might use DOS:


08-2. What is the Ping of Death?

The Ping of Death is a large ICMP packet sent by a workstation to a target. The target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled it is too big for the buffer and overflows it. This causes unpredictable results, such as reboots or hangs.

Windows 95 and Windows NT are capable of sending such a packet. By simply typing in "ping -165527 -s 1 <target>" you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be constructed. These sources are freely available on the Internet.

Only NT 3.51 WITHOUT the latest service pack is vulnerable. NT 4.0 does not seem to suffer from Ping of Death.


08-3. What is a SYN Flood attack?

In the TCP/IP protocol, a three way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally the client responds to the SYN-ACK and the conversation is considered started.

A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existant host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up.

This is a simplified version of what exactly happens. For more elaborate details and sample Linux code for creating a flood, see Phrack 48 file 13 by daemon9.

Windows NT 3.51 is vulnerable unless a new version of drivers have been loaded. Version 4.0 requires the latest service pack.


08-4. What can telnet give me in the way of denial of service?

There are several DOS attacks involving a simple telnet client that can be used against an NT server.

First, by telnetting to port 53, 135, or 1031, and then typing in about 10 or so characters and hitting enter will cause problems. If DNS (port 53) is running, DNS will stop. If 135 answers, the CPU utilization will increase to 100%, slowing performance. And if port 1031 is hit, IIS will get knocked down. Typically the fix is to reboot the server, as it will be hung or so slow as to render it useless.

Telnetting to port 80 and typing "GET ../.." will also crash IIS.

If the latest service pack is loaded the attack will not work.


08-5. What can I do with Samba?

Don't get me started ;-)

As far as DOS, if you connect to a server with Samba to 3.X NT that does not have the latest service pack loaded, you can send it "DIR ..\" and crash it.

For a little bit on Samba, see section 06-4.


08-6. How do I lock out others from files?

Consider a variation of this source being added to a virus-like program:


/* lock.c written by Paul Ashton */
#include <windows.h>

    void main(int ac, char *av[])
    {
      HANDLE fp;

      fp = CreateFile(av[1], FILE_READ_DATA, 0, 0, OPEN_EXISTING, 0, 0);

      if (fp == INVALID_HANDLE_VALUE)
        exit(GetLastError());

      Sleep(60000);
      exit(0);
    }

Passing a file name to the above code will lock it for 60 seconds. Imagine an intruder locking various components of a logging facility from a limited use account to attack the Administrator...


08-7. What's with ROLLBACK.EXE?

If the file ROLLBACK.EXE is executed, the registry can be wiped. You must re-install or do a complete restore if this happens to you. Sys Admins will probably want to remove this file. Renamed, it makes for one hell of a nasty trojan.

It is reportedly possible to lock onto a port, say like port 19, and when the server crashes and comes up ROLLBACK.EXE will start trying to unlock the port and subsequently opens up the registry for anyone to wipe it. I was unsuccessful in getting this to happen in the lab, but probably because I find DOS attacks rather lame I didn't try very hard to get it to work. But others claim it can happen, so keep it in mind.


08-8. What is an OOB attack?

This attack is fairly simple, and a fair amount of source code is available. Basically it involves sending an out-of-band message to a Windows operating system. Typically port 139 is used. This was patched with SP3 and a Hot Fix but apparently with a little monkeying around with the code you can get around this.

This DOS is very popular, mainly because of the wide variety of implementations of sockets. I've seen Unix and Windows NT versions of code, an implementation in Perl, and even an implementation using the Rexx Socket APIs on OS/2.

If you are so inclined, try a web search for "winnuke" which will get you probably a thousand locations with the code.


08-9. Are there any other denial of service attacks?

If a domain user logs onto the console, creates a file and removes its permissions, it is possible that another user can log onto the console and delete the file. Microsoft is working on a patch. The problem affects all versions of NT. However, this isn't what I'd consider "denial of service" as it is more like denial of a file. Depending on the file, though, it could be used as DOS. See the last paragraph of section 06-3 for details.

If you are running smbmount with version 2.0.25 of Linux, you can crash an NT server. smbmount is intended to be run on Linux 2.0.28 or higher, so it doesn't work right on 2.0.25. You also need a legit user account. Running as root, type smbmount //target/service /mnt -U client_name, followed by ls /mnt will hang the shell on Linux (no biggie) and blue screen the target server (biggie).

The final DOS I'm aware of involves Microsoft's DNS on NT 4.0 server. If you send it a DNS response when it did not make a query, DNS will crash. The latest service pack fixes this problem.


[ Return to TOC | Return to FAQ Page ]