what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SynAttackProtect.txt

SynAttackProtect.txt
Posted Nov 26, 2000
Site videotron.ca

Windows NT 4.0 SP6a with SynAttackProtect set is vulnerable to a remote denial of service attack.

tags | exploit, remote, denial of service
systems | windows
SHA-256 | 714cad616a29fdfca52b206e8783d4c79dbf59b9a095f42bcd9514ec4ce0f734
Download | Favorite | View

SynAttackProtect.txt

Change Mirror Download
______________________________________________________________________
NtWaK0@SecurHack.com
Bug / Security / Advisory
21,November, 2000
Killing NT 4.0 (HOT FIXES or NO / SP6a) Remotely using SynAttackProtect Key
Corrected version and solution FOUND :)


______________________________________________________________________
/// * Vulnerable Systems * \\\

Windows NT 4.0 SP6a + with or without HOT Fixes + SynAttackProtect set
______________________________________________________________________

______________________________________________________________________
/// * RISK FACTOR * \\\

HIGH
______________________________________________________________________

______________________________________________________________________
/// * Vulnerability Information * \\\

After spending many hours re-installing and ghosting and testing and
going NUTS to find out why 2 of MY NT boxes crash .

I noticed like a month ago or so 2 of my NT 4.0 boxes start to crash
for unknown reason (When i was on IRC) never had a crash problem
Registry settings for maximum protection from network attack before.
Sure My registry is modified and to start debugging the stuff was a task.

The following registry settings will help to increase the JOY :)
The crash lead to ON/OFF button :(

The testes I have done lead me to find the correct registry KEY yes
JOY after hours I was able to repeat and found the exact setting.


Here is some background information from Microsoft site

http://www.microsoft.com/TechNet/security/dosrv.asp :
Security Considerations for Network Attacks
Registry settings for maximum protection from network attack

The following registry settings will help to increase the resistance of
the NT or Windows 2000 network stack to network denial of service attacks.
SynAttackProtect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1, 2
0 (no synattack protection)
1 (reduced retransmission retries and delayed RCE (route cache entry)
creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are
satisfied.)
2 (in addition to 1 a delayed indication to Winsock is made.)


What I found out Setting the value to 1 or 2 and sending TCP Prediction
attack
using cybercop module 13002 will Crash NT, and the only way to reboot is
TURN OFF/ON :(

To reproduce the Attach.

1.  Install NT 4.0
2.  Apply All the Hot fixes Suggest By Microsoft (with or without Hot fixes)
3.  Open Regedt32 or regedit
4.  Go to
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
5.  Add or Change the key "SynAttackProtect" make is 1 or 2
6.  The Value Type: REG_DWORD, Valid Range: 0, 1, 2
7.  The full syntax will be "SynAttackProtect"=dword:00000002
8.  Close the regedt32 or regedit
9.  Reboot
10.  Run a TCP sequence numbers prediction attack
11.  Hint if you have Cybercop scanner it is /// * MODULE 13002 * or code
your own J

I start some test like stopping BlackICE, changing My IRC client etc. hrmm
nothing helped to stopped the daily crash :(.  It happened like 2 or 3 times
a day / night

I decide to scan the machine using cyberCop since I use it for work not
because
I am Certified  on It *CLAP* and because I like it :)

After scanning the remote box using just /// * MODULE 13002 * \\\, the Box
sure Crashed

Re booted the remote box and then start to think HO HO...After thinking /
testing stuff
I found the module that cause the CRASH.

/// * MODULE 13002 * \\\
This MODULE use mod13000.dll  Here is a bit of information on it.

Here is the Module description taken from CyberCop:

13002 TCP sequence numbers are predictable
Risk Factor: High
Complexity: Medium
Fixease: Moderate
Popularity: Popular
Rootcause: Implementation
Impact:
Accountability: Authorization  The host generates TCP sequence numbers in a
pattern which
can be guessed by an intruder to launch TCP  spoofing based attacks.

* The FUNNY part is cybercop will return NOT VULNERABLE
HO HO but it just kill  the darn box :(  Here is what CyberCop report say
while running the mentioned module

DBG:: <Tue Nov 21 15:47:26 2000 >[REMOTEIP] HID=1 VID=13002 module_started
DBG:: <Tue Nov 21 15:47:47 2000>[REMOTEIP] HID=1 VID=13002 module_finished
Not Vulnerable
DBG:: <Tue Nov 21 15:47:26 2000 >[REMOTEIP] HID=1 VID=13002 host_finished.

Here is some WINDUMP while i was trying the KILLA module :)


15:50:57.716852 ATTACKER.DNS.53 > VICTIM.BOX.1037: 8* 1/2/2 (201) (DF)
15:50:57.899780 ATTACKER.BOX.51499 > VICTIM.BOX.139: R
4177042105:4177042105(0) win 4096
15:50:57.900739 ATTACKER.BOX.51500 > VICTIM.BOX.139: S
4177042104:4177042104(0) win 4096
15:50:57.900871 VICTIM.BOX.139 > ATTACKER.BOX.51500: S 37390524:37390524(0)
ack 4177042105 win 8576 <mss 1460> (DF)
15:50:57.901413 ATTACKER.BOX.51500 > VICTIM.BOX.139: R
4177042105:4177042105(0) win 0
15:50:58.099652 ATTACKER.BOX.51500 > VICTIM.BOX.139: R
4177042105:4177042105(0) win 4096
15:50:58.100615 ATTACKER.BOX.51501 > VICTIM.BOX.139: S
4177043104:4177043104(0) win 4096
15:50:58.100748 VICTIM.BOX.139 > ATTACKER.BOX.51501: S 37493073:37493073(0)
ack 4177043105 win 8576 <mss 1460> (DF)
15:50:58.101281 ATTACKER.BOX.51501 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 0
15:50:58.299987 ATTACKER.BOX.51501 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 4096
15:50:58.300944 ATTACKER.BOX.51502 > VICTIM.BOX.139: S
4177043104:4177043104(0) win 4096
15:50:58.301075 VICTIM.BOX.139 > ATTACKER.BOX.51502: S 37602428:37602428(0)
ack 4177043105 win 8576 <mss 1460> (DF)
15:50:58.301611 ATTACKER.BOX.51502 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 0
15:50:58.500468 ATTACKER.BOX.51502 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 4096
15:50:58.501428 ATTACKER.BOX.51503 > VICTIM.BOX.139: S
4177043104:4177043104(0) win 4096
15:50:58.501559 VICTIM.BOX.139 > ATTACKER.BOX.51503: S 37698671:37698671(0)
ack 4177043105 win 8576 <mss 1460> (DF)
15:50:58.502097 ATTACKER.BOX.51503 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 0
15:50:58.700496 ATTACKER.BOX.51503 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 4096
15:50:58.701450 ATTACKER.BOX.51504 > VICTIM.BOX.139: S
4177043104:4177043104(0) win 4096
15:50:58.701581 VICTIM.BOX.139 > ATTACKER.BOX.51504: S 37783232:37783232(0)
ack 4177043105 win 8576 <mss 1460> (DF)
15:50:58.702119 ATTACKER.BOX.51504 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 0
15:50:58.900808 ATTACKER.BOX.51504 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 4096
15:50:58.901763 ATTACKER.BOX.51505 > VICTIM.BOX.139: S
4177043104:4177043104(0) win 4096
15:50:58.901895 VICTIM.BOX.139 > ATTACKER.BOX.51505: S 37867794:37867794(0)
ack 4177043105 win 8576 <mss 1460> (DF)
15:50:58.902439 ATTACKER.BOX.51505 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 0
15:50:59.101311 ATTACKER.BOX.51505 > VICTIM.BOX.139: R
4177043105:4177043105(0) win 4096
15:50:59.102267 ATTACKER.BOX.51506 > VICTIM.BOX.139: S
4177044104:4177044104(0) win 4096
15:50:59.102398 VICTIM.BOX.139 > ATTACKER.BOX.51506: S 37955428:37955428(0)
ack 4177044105 win 8576 <mss 1460> (DF)
15:50:59.102938 ATTACKER.BOX.51506 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 0
15:50:59.301400 ATTACKER.BOX.51506 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 4096
15:50:59.302356 ATTACKER.BOX.51507 > VICTIM.BOX.139: S
4177044104:4177044104(0) win 4096
15:50:59.302487 VICTIM.BOX.139 > ATTACKER.BOX.51507: S 38042905:38042905(0)
ack 4177044105 win 8576 <mss 1460> (DF)
15:50:59.303030 ATTACKER.BOX.51507 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 0
15:50:59.501612 ATTACKER.BOX.51507 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 4096
15:50:59.502563 ATTACKER.BOX.51508 > VICTIM.BOX.139: S
4177044104:4177044104(0) win 4096
15:50:59.502694 VICTIM.BOX.139 > ATTACKER.BOX.51508: S 38134827:38134827(0)
ack 4177044105 win 8576 <mss 1460> (DF)
15:50:59.503250 ATTACKER.BOX.51508 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 0
15:50:59.702160 ATTACKER.BOX.51508 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 4096
15:50:59.703116 ATTACKER.BOX.51509 > VICTIM.BOX.139: S
4177044104:4177044104(0) win 4096
15:50:59.703247 VICTIM.BOX.139 > ATTACKER.BOX.51509: S 38231533:38231533(0)
ack 4177044105 win 8576 <mss 1460> (DF)
15:50:59.703789 ATTACKER.BOX.51509 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 0
15:50:59.902233 ATTACKER.BOX.51509 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 4096
15:50:59.903192 ATTACKER.BOX.51510 > VICTIM.BOX.139: S
4177044104:4177044104(0) win 4096
15:50:59.903324 VICTIM.BOX.139 > ATTACKER.BOX.51510: S 38332233:38332233(0)
ack 4177044105 win 8576 <mss 1460> (DF)
15:50:59.903863 ATTACKER.BOX.51510 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 0
15:51:00.105452 ATTACKER.BOX.51510 > VICTIM.BOX.139: R
4177044105:4177044105(0) win 4096
15:51:00.106407 ATTACKER.BOX.51511 > VICTIM.BOX.139: S
4177045104:4177045104(0) win 4096
15:51:00.106538 VICTIM.BOX.139 > ATTACKER.BOX.51511: S 38429318:38429318(0)
ack 4177045105 win 8576 <mss 1460> (DF)
15:51:00.107076 ATTACKER.BOX.51511 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 0
15:51:00.305727 ATTACKER.BOX.51511 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 4096
15:51:00.306681 ATTACKER.BOX.51512 > VICTIM.BOX.139: S
4177045104:4177045104(0) win 4096
15:51:00.306814 VICTIM.BOX.139 > ATTACKER.BOX.51512: S 38540815:38540815(0)
ack 4177045105 win 8576 <mss 1460> (DF)
15:51:00.307348 ATTACKER.BOX.51512 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 0
15:51:00.506024 ATTACKER.BOX.51512 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 4096
15:51:00.506983 ATTACKER.BOX.51513 > VICTIM.BOX.139: S
4177045104:4177045104(0) win 4096
15:51:00.507114 VICTIM.BOX.139 > ATTACKER.BOX.51513: S 38624113:38624113(0)
ack 4177045105 win 8576 <mss 1460> (DF)
15:51:00.507650 ATTACKER.BOX.51513 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 0
15:51:00.703328 ATTACKER.BOX.51513 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 4096
15:51:00.704283 ATTACKER.BOX.51514 > VICTIM.BOX.139: S
4177045104:4177045104(0) win 4096
15:51:00.704413 VICTIM.BOX.139 > ATTACKER.BOX.51514: S 38722688:38722688(0)
ack 4177045105 win 8576 <mss 1460> (DF)
15:51:00.704952 ATTACKER.BOX.51514 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 0
15:51:00.903634 ATTACKER.BOX.51514 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 4096
15:51:00.904584 ATTACKER.BOX.51515 > VICTIM.BOX.139: S
4177045104:4177045104(0) win 4096
15:51:00.904716 VICTIM.BOX.139 > ATTACKER.BOX.51515: S 38838030:38838030(0)
ack 4177045105 win 8576 <mss 1460> (DF)
15:51:00.905254 ATTACKER.BOX.51515 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 0
15:51:01.104133 ATTACKER.BOX.51515 > VICTIM.BOX.139: R
4177045105:4177045105(0) win 4096
15:51:01.105085 ATTACKER.BOX.51516 > VICTIM.BOX.139: S
4177046104:4177046104(0) win 4096
15:51:01.105216 VICTIM.BOX.139 > ATTACKER.BOX.51516: S 38928820:38928820(0)
ack 4177046105 win 8576 <mss 1460> (DF)
15:51:01.105755 ATTACKER.BOX.51516 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 0
15:51:01.304349 ATTACKER.BOX.51516 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 4096
15:51:01.305304 ATTACKER.BOX.51517 > VICTIM.BOX.139: S
4177046104:4177046104(0) win 4096
15:51:01.305436 VICTIM.BOX.139 > ATTACKER.BOX.51517: S 39036618:39036618(0)
ack 4177046105 win 8576 <mss 1460> (DF)
15:51:01.305972 ATTACKER.BOX.51517 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 0
15:51:01.504436 ATTACKER.BOX.51517 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 4096
15:51:01.505387 ATTACKER.BOX.51518 > VICTIM.BOX.139: S
4177046104:4177046104(0) win 4096
15:51:01.505518 VICTIM.BOX.139 > ATTACKER.BOX.51518: S 39128579:39128579(0)
ack 4177046105 win 8576 <mss 1460> (DF)
15:51:01.506056 ATTACKER.BOX.51518 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 0
15:51:01.704985 ATTACKER.BOX.51518 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 4096
15:51:01.705940 ATTACKER.BOX.51519 > VICTIM.BOX.139: S
4177046104:4177046104(0) win 4096
15:51:01.706072 VICTIM.BOX.139 > ATTACKER.BOX.51519: S 39227548:39227548(0)
ack 4177046105 win 8576 <mss 1460> (DF)
15:51:01.706613 ATTACKER.BOX.51519 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 0
15:51:01.905061 ATTACKER.BOX.51519 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 4096
15:51:01.906016 ATTACKER.BOX.51520 > VICTIM.BOX.139: S
4177046104:4177046104(0) win 4096
15:51:01.906147 VICTIM.BOX.139 > ATTACKER.BOX.51520: S 39336921:39336921(0)
ack 4177046105 win 8576 <mss 1460> (DF)
15:51:01.906685 ATTACKER.BOX.51520 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 0
15:51:02.105282 ATTACKER.BOX.51520 > VICTIM.BOX.139: R
4177046105:4177046105(0) win 4096
15:51:02.106231 ATTACKER.BOX.51521 > VICTIM.BOX.139: S
4177047104:4177047104(0) win 4096
15:51:02.106363 VICTIM.BOX.139 > ATTACKER.BOX.51521: S 39437462:39437462(0)
ack 4177047105 win 8576 <mss 1460> (DF)
15:51:02.106901 ATTACKER.BOX.51521 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 0
15:51:02.305827 ATTACKER.BOX.51521 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 4096
15:51:02.306777 ATTACKER.BOX.51522 > VICTIM.BOX.139: S
4177047104:4177047104(0) win 4096
15:51:02.306910 VICTIM.BOX.139 > ATTACKER.BOX.51522: S 39533863:39533863(0)
ack 4177047105 win 8576 <mss 1460> (DF)
15:51:02.307448 ATTACKER.BOX.51522 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 0
15:51:02.505870 ATTACKER.BOX.51522 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 4096
15:51:02.506823 ATTACKER.BOX.51523 > VICTIM.BOX.139: S
4177047104:4177047104(0) win 4096
15:51:02.506955 VICTIM.BOX.139 > ATTACKER.BOX.51523: S 39626913:39626913(0)
ack 4177047105 win 8576 <mss 1460> (DF)
15:51:02.507492 ATTACKER.BOX.51523 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 0
15:51:02.706132 ATTACKER.BOX.51523 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 4096
15:51:02.707083 ATTACKER.BOX.51524 > VICTIM.BOX.139: S
4177047104:4177047104(0) win 4096
15:51:02.707213 VICTIM.BOX.139 > ATTACKER.BOX.51524: S 39724455:39724455(0)
ack 4177047105 win 8576 <mss 1460> (DF)
15:51:02.707750 ATTACKER.BOX.51524 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 0
15:51:02.906845 ATTACKER.BOX.51524 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 4096
15:51:02.907803 ATTACKER.BOX.51525 > VICTIM.BOX.139: S
4177047104:4177047104(0) win 4096
15:51:02.907935 VICTIM.BOX.139 > ATTACKER.BOX.51525: S 39809203:39809203(0)
ack 4177047105 win 8576 <mss 1460> (DF)
15:51:02.908476 ATTACKER.BOX.51525 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 0
15:51:03.106712 ATTACKER.BOX.51525 > VICTIM.BOX.139: R
4177047105:4177047105(0) win 4096
15:51:03.109088 ATTACKER.BOX.51526 > VICTIM.BOX.139: S
4177048104:4177048104(0) win 4096
15:51:03.109219 VICTIM.BOX.139 > ATTACKER.BOX.51526: S 39918949:39918949(0)
ack 4177048105 win 8576 <mss 1460> (DF)
15:51:03.109753 ATTACKER.BOX.51526 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 0
15:51:03.307027 ATTACKER.BOX.51526 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 4096
15:51:03.307978 ATTACKER.BOX.51527 > VICTIM.BOX.139: S
4177048104:4177048104(0) win 4096
15:51:03.308110 VICTIM.BOX.139 > ATTACKER.BOX.51527: S 40014891:40014891(0)
ack 4177048105 win 8576 <mss 1460> (DF)
15:51:03.308645 ATTACKER.BOX.51527 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 0
15:51:03.507532 ATTACKER.BOX.51527 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 4096
15:51:03.508487 ATTACKER.BOX.51528 > VICTIM.BOX.139: S
4177048104:4177048104(0) win 4096
15:51:03.508618 VICTIM.BOX.139 > ATTACKER.BOX.51528: S 40114696:40114696(0)
ack 4177048105 win 8576 <mss 1460> (DF)
15:51:03.509154 ATTACKER.BOX.51528 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 0
15:51:03.707562 ATTACKER.BOX.51528 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 4096
15:51:03.708515 ATTACKER.BOX.51529 > VICTIM.BOX.139: S
4177048104:4177048104(0) win 4096
15:51:03.708645 VICTIM.BOX.139 > ATTACKER.BOX.51529: S 40218009:40218009(0)
ack 4177048105 win 8576 <mss 1460> (DF)
15:51:03.709185 ATTACKER.BOX.51529 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 0
15:51:03.907874 ATTACKER.BOX.51529 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 4096
15:51:03.908827 ATTACKER.BOX.51530 > VICTIM.BOX.139: S
4177048104:4177048104(0) win 4096
15:51:03.908959 VICTIM.BOX.139 > ATTACKER.BOX.51530: S 40331702:40331702(0)
ack 4177048105 win 8576 <mss 1460> (DF)
15:51:03.909494 ATTACKER.BOX.51530 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 0
15:51:04.111101 ATTACKER.BOX.51530 > VICTIM.BOX.139: R
4177048105:4177048105(0) win 4096
15:51:04.112053 ATTACKER.BOX.51531 > VICTIM.BOX.139: S
4177049104:4177049104(0) win 4096
15:51:04.112184 VICTIM.BOX.139 > ATTACKER.BOX.51531: S 40414738:40414738(0)
ack 4177049105 win 8576 <mss 1460> (DF)
15:51:04.112719 ATTACKER.BOX.51531 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 0
15:51:04.311454 ATTACKER.BOX.51531 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 4096
15:51:04.312408 ATTACKER.BOX.51532 > VICTIM.BOX.139: S
4177049104:4177049104(0) win 4096
15:51:04.312544 VICTIM.BOX.139 > ATTACKER.BOX.51532: S 40523405:40523405(0)
ack 4177049105 win 8576 <mss 1460> (DF)
15:51:04.313078 ATTACKER.BOX.51532 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 0
15:51:04.511672 ATTACKER.BOX.51532 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 4096
15:51:04.512628 ATTACKER.BOX.51533 > VICTIM.BOX.139: S
4177049104:4177049104(0) win 4096
15:51:04.512763 VICTIM.BOX.139 > ATTACKER.BOX.51533: S 40626146:40626146(0)
ack 4177049105 win 8576 <mss 1460> (DF)
15:51:04.513298 ATTACKER.BOX.51533 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 0
15:51:04.709159 ATTACKER.BOX.51533 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 4096
15:51:04.710104 ATTACKER.BOX.51534 > VICTIM.BOX.139: S
4177049104:4177049104(0) win 4096
15:51:04.710235 VICTIM.BOX.139 > ATTACKER.BOX.51534: S 40734003:40734003(0)
ack 4177049105 win 8576 <mss 1460> (DF)
15:51:04.710774 ATTACKER.BOX.51534 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 0
15:51:04.909283 ATTACKER.BOX.51534 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 4096
15:51:04.910234 ATTACKER.BOX.51535 > VICTIM.BOX.139: S
4177049104:4177049104(0) win 4096
15:51:04.910366 VICTIM.BOX.139 > ATTACKER.BOX.51535: S 40843065:40843065(0)
ack 4177049105 win 8576 <mss 1460> (DF)
15:51:04.910903 ATTACKER.BOX.51535 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 0
15:51:05.109772 ATTACKER.BOX.51535 > VICTIM.BOX.139: R
4177049105:4177049105(0) win 4096
15:51:05.110729 ATTACKER.BOX.51536 > VICTIM.BOX.139: S
4177050104:4177050104(0) win 4096
15:51:05.110861 VICTIM.BOX.139 > ATTACKER.BOX.51536: S 40957009:40957009(0)
ack 4177050105 win 8576 <mss 1460> (DF)
15:51:05.111399 ATTACKER.BOX.51536 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 0
15:51:05.309874 ATTACKER.BOX.51536 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 4096
15:51:05.310830 ATTACKER.BOX.51537 > VICTIM.BOX.139: S
4177050104:4177050104(0) win 4096
15:51:05.310961 VICTIM.BOX.139 > ATTACKER.BOX.51537: S 41067901:41067901(0)
ack 4177050105 win 8576 <mss 1460> (DF)
15:51:05.311501 ATTACKER.BOX.51537 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 0
15:51:05.510083 ATTACKER.BOX.51537 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 4096
15:51:05.511032 ATTACKER.BOX.51538 > VICTIM.BOX.139: S
4177050104:4177050104(0) win 4096
15:51:05.511164 VICTIM.BOX.139 > ATTACKER.BOX.51538: S 41181635:41181635(0)
ack 4177050105 win 8576 <mss 1460> (DF)
15:51:05.511699 ATTACKER.BOX.51538 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 0
15:51:05.710614 ATTACKER.BOX.51538 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 4096
15:51:05.711570 ATTACKER.BOX.51539 > VICTIM.BOX.139: S
4177050104:4177050104(0) win 4096
15:51:05.711700 VICTIM.BOX.139 > ATTACKER.BOX.51539: S 41268667:41268667(0)
ack 4177050105 win 8576 <mss 1460> (DF)
15:51:05.712240 ATTACKER.BOX.51539 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 0
15:51:05.910709 ATTACKER.BOX.51539 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 4096
15:51:05.911658 ATTACKER.BOX.51540 > VICTIM.BOX.139: S
4177050104:4177050104(0) win 4096
15:51:05.911789 VICTIM.BOX.139 > ATTACKER.BOX.51540: S 41357678:41357678(0)
ack 4177050105 win 8576 <mss 1460> (DF)
15:51:05.912327 ATTACKER.BOX.51540 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 0
15:51:06.110927 ATTACKER.BOX.51540 > VICTIM.BOX.139: R
4177050105:4177050105(0) win 4096
15:51:06.111882 ATTACKER.BOX.51541 > VICTIM.BOX.139: S
4177051104:4177051104(0) win 4096
15:51:06.112013 VICTIM.BOX.139 > ATTACKER.BOX.51541: S 41461024:41461024(0)
ack 4177051105 win 8576 <mss 1460> (DF)
15:51:06.112549 ATTACKER.BOX.51541 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 0
15:51:06.311467 ATTACKER.BOX.51541 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 4096
15:51:06.312427 ATTACKER.BOX.51542 > VICTIM.BOX.139: S
4177051104:4177051104(0) win 4096
15:51:06.312561 VICTIM.BOX.139 > ATTACKER.BOX.51542: S 41555949:41555949(0)
ack 4177051105 win 8576 <mss 1460> (DF)
15:51:06.313098 ATTACKER.BOX.51542 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 0
15:51:06.511513 ATTACKER.BOX.51542 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 4096
15:51:06.512466 ATTACKER.BOX.51543 > VICTIM.BOX.139: S
4177051104:4177051104(0) win 4096
15:51:06.512598 VICTIM.BOX.139 > ATTACKER.BOX.51543: S 41670942:41670942(0)
ack 4177051105 win 8576 <mss 1460> (DF)
15:51:06.513136 ATTACKER.BOX.51543 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 0
15:51:06.711775 ATTACKER.BOX.51543 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 4096
15:51:06.712727 ATTACKER.BOX.51544 > VICTIM.BOX.139: S
4177051104:4177051104(0) win 4096
15:51:06.712858 VICTIM.BOX.139 > ATTACKER.BOX.51544: S 41784939:41784939(0)
ack 4177051105 win 8576 <mss 1460> (DF)
15:51:06.713404 ATTACKER.BOX.51544 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 0
15:51:06.912355 ATTACKER.BOX.51544 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 4096
15:51:06.913311 ATTACKER.BOX.51545 > VICTIM.BOX.139: S
4177051104:4177051104(0) win 4096
15:51:06.913443 VICTIM.BOX.139 > ATTACKER.BOX.51545: S 41885932:41885932(0)
ack 4177051105 win 8576 <mss 1460> (DF)
15:51:06.913982 ATTACKER.BOX.51545 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 0
15:51:07.112361 ATTACKER.BOX.51545 > VICTIM.BOX.139: R
4177051105:4177051105(0) win 4096
15:51:07.113315 ATTACKER.BOX.51546 > VICTIM.BOX.139: S
4177052104:4177052104(0) win 4096
15:51:07.113447 VICTIM.BOX.139 > ATTACKER.BOX.51546: S 41993706:41993706(0)
ack 4177052105 win 8576 <mss 1460> (DF)
15:51:07.113985 ATTACKER.BOX.51546 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 0
15:51:07.312806 ATTACKER.BOX.51546 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 4096
15:51:07.313756 ATTACKER.BOX.51547 > VICTIM.BOX.139: S
4177052104:4177052104(0) win 4096
15:51:07.313889 VICTIM.BOX.139 > ATTACKER.BOX.51547: S 42107365:42107365(0)
ack 4177052105 win 8576 <mss 1460> (DF)
15:51:07.314426 ATTACKER.BOX.51547 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 0
15:51:07.513164 ATTACKER.BOX.51547 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 4096
15:51:07.514123 ATTACKER.BOX.51548 > VICTIM.BOX.139: S
4177052104:4177052104(0) win 4096
15:51:07.514253 VICTIM.BOX.139 > ATTACKER.BOX.51548: S 42192906:42192906(0)
ack 4177052105 win 8576 <mss 1460> (DF)
15:51:07.514790 ATTACKER.BOX.51548 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 0
15:51:07.713212 ATTACKER.BOX.51548 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 4096
15:51:07.714165 ATTACKER.BOX.51549 > VICTIM.BOX.139: S
4177052104:4177052104(0) win 4096
15:51:07.714295 VICTIM.BOX.139 > ATTACKER.BOX.51549: S 42278337:42278337(0)
ack 4177052105 win 8576 <mss 1460> (DF)
15:51:07.714834 ATTACKER.BOX.51549 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 0
15:51:07.913635 ATTACKER.BOX.51549 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 4096
15:51:07.914593 ATTACKER.BOX.51550 > VICTIM.BOX.139: S
4177052104:4177052104(0) win 4096
15:51:07.914724 VICTIM.BOX.139 > ATTACKER.BOX.51550: S 42385860:42385860(0)
ack 4177052105 win 8576 <mss 1460> (DF)
15:51:07.915263 ATTACKER.BOX.51550 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 0
15:51:08.114012 ATTACKER.BOX.51550 > VICTIM.BOX.139: R
4177052105:4177052105(0) win 4096
15:51:08.114969 ATTACKER.BOX.51551 > VICTIM.BOX.139: S
4177053104:4177053104(0) win 4096
15:51:08.115100 VICTIM.BOX.139 > ATTACKER.BOX.51551: S 42494298:42494298(0)
ack 4177053105 win 8576 <mss 1460> (DF)
15:51:08.115637 ATTACKER.BOX.51551 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 0
15:51:08.314058 ATTACKER.BOX.51551 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 4096
15:51:08.315008 ATTACKER.BOX.51552 > VICTIM.BOX.139: S
4177053104:4177053104(0) win 4096
15:51:08.315140 VICTIM.BOX.139 > ATTACKER.BOX.51552: S 42603841:42603841(0)
ack 4177053105 win 8576 <mss 1460> (DF)
15:51:08.315670 ATTACKER.BOX.51552 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 0
15:51:08.514319 ATTACKER.BOX.51552 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 4096
15:51:08.515269 ATTACKER.BOX.51553 > VICTIM.BOX.139: S
4177053104:4177053104(0) win 4096
15:51:08.515399 VICTIM.BOX.139 > ATTACKER.BOX.51553: S 42694160:42694160(0)
ack 4177053105 win 8576 <mss 1460> (DF)
15:51:08.515934 ATTACKER.BOX.51553 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 0
15:51:08.714859 ATTACKER.BOX.51553 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 4096
15:51:08.715814 ATTACKER.BOX.51554 > VICTIM.BOX.139: S
4177053104:4177053104(0) win 4096
15:51:08.715945 VICTIM.BOX.139 > ATTACKER.BOX.51554: S 42781944:42781944(0)
ack 4177053105 win 8576 <mss 1460> (DF)
15:51:08.716482 ATTACKER.BOX.51554 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 0
15:51:08.914950 ATTACKER.BOX.51554 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 4096
15:51:08.915908 ATTACKER.BOX.51555 > VICTIM.BOX.139: S
4177053104:4177053104(0) win 4096
15:51:08.916038 VICTIM.BOX.139 > ATTACKER.BOX.51555: S 42882618:42882618(0)
ack 4177053105 win 8576 <mss 1460> (DF)
15:51:08.916576 ATTACKER.BOX.51555 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 0
15:51:09.118769 ATTACKER.BOX.51555 > VICTIM.BOX.139: R
4177053105:4177053105(0) win 4096
15:51:09.119724 ATTACKER.BOX.51556 > VICTIM.BOX.139: S
4177054104:4177054104(0) win 4096
15:51:09.119856 VICTIM.BOX.139 > ATTACKER.BOX.51556: S 42989065:42989065(0)
ack 4177054105 win 8576 <mss 1460> (DF)
15:51:09.120394 ATTACKER.BOX.51556 > VICTIM.BOX.139: R
4177054105:4177054105(0) win 0
15:51:09.319120 ATTACKER.BOX.51556 > VICTIM.BOX.139: R
4177054105:4177054105(0) win 4096
15:51:09.320073 ATTACKER.BOX.51557 > VICTIM.BOX.139: S
4177054104:4177054104(0) win 4096
15:51:09.320205 VICTIM.BOX.139 > ATTACKER.BOX.51557: S 43099333:43099333(0)
ack 4177054105 win 8576 <mss 1460> (DF)
15:51:09.320743 ATTACKER.BOX.51557 > VICTIM.BOX.139: R
4177054105:4177054105(0) win 0
15:51:09.519353 ATTACKER.BOX.51557 > VICTIM.BOX.139: R
4177054105:4177054105(0) win 4096
15:51:09.520307 ATTACKER.BOX.51558 > VICTIM.BOX.139: S
4177054104:4177054104(0) win 4096
15:51:09.520438 VICTIM.BOX.139 > ATTACKER.BOX.51558: S 43206376:43206376(0)
ack 4177054105 win 8576 <mss 1460> (DF)
15:51:09.520977 ATTACKER.BOX.51558 > VICTIM.BOX.139: R 41770  <<< *** CRASH
HERE***

*** CRASH HERE****** CRASH HERE****** CRASH HERE****** CRASH HERE******
Here is the Crash. To bad Dr.Watson cannot log and the other sniffers use a
temp file so I can only get some WINDUMP :)

______________________________________________________________________
/// * Resolution * \\\

1 - If you follow MS paper
http://www.microsoft.com/TechNet/security/dosrv.asp
    and you have changed the VALUE from 0 to 1 or 2 change it to 0.
2 - Setting 0 will keep your NT box safe from this attack. But it does not
go
    with MS paper so it is a choice you have to take, hell life is
    full of choices and stuff right :)

______________________________________________________________________
/// * Credits * \\\

The discovery and documentation of this vulnerability was conducted by
NtWaK0.
For more information Dalnet channel #security or NtWaK0@SecurHack.com
_______________________________________________________________________

_______________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.__________
Live Well Do Good                                           |
Accept no limitations                                     \(|)/
                                                           /`\  NtWaK0

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close