Short Attack Descriptions

1999 DARPA Intrusion Detection Evaluation

anypw AnyPW is a Console User to Root attack that allows the attacker to logon to the system without a password. A boot disk is used to modify the NT authentication package so that a valid username can login with any password string. Logins via telnet also work with any password.
arppoision An arp-level denial of service, where the attacker sends out bogus responses to "arp-who-has" requests for the victims mac address. In order to carry out this attack, the attacker must gain access on a machine on the victim's subnet, so it often involves a remote attacker logging into a local machine, then running the attack against another machine (the victim).
back Denial of service attack against apache webserver where a client requests a URL containing many backslashes. 
cassen CaseSen is a User to Root attack that exploits the case sensitivity of the NT object directory. The attacker ftps three attack files to the victim: soundedt.exe, editwavs.exe, psxss.exe (the names of the files were chosen to make the attack more stealthy). The attacker then telnets to the victim and runs soundedt.exe. A new object is created in the NT object directory called \??\c: which links to the directory containing the attack files. A posix application is started activating the trojan attack file, psxss.exe, which results in the logged in user being added to the Administrators user group.
crashiis A single, malformed http request causes the webserver to crash.
dict Guess passwords for a valid user using simple variants of the account name over a telnet connection. 
dosnuke DoSNuke is a Denial of Service attack that sends Out Of Band data (MSG_OOB) to port 139 (NetBIOS), crashing the NT victim (bluescreens the machine).
eject Buffer overflow using eject program on Solaris. Leads to a user->root transition if successful. 
framespoofer Data attack where the attacker sends a fake email to the victim directing the victim to a tru sted web site. When the user clicks on the link in the email it actually links to a javascript which brings up the trust ed web site but then inserts a malicious web page into one of its frames. The URL displayed in the browser remains unchanged.'
ffb Buffer overflow using the ffbconfig UNIX system command leads to root shell
format Buffer overflow using the fdformat UNIX system command leads to root shell 
ftp-write Remote FTP user creates .rhost file in world writable anonymous FTP directory and obtains local login. 
guest Try to guess password via telnet for guest account. 
httptunnel There are two phases to this attack: 
Setup — a  web "client" is setup on the machine being attacked, which is configured, perhaps via crontab, to periodically make requests of a "server" running on a non-privilaeged port on the attacking machine.
Action — When the periodic requests are received, the server encapsulates commands to be run by the "client" in a cookie.. things like "cat /etc/passwd".. etc..
imap Remote buffer overflow using imap port leads to root shell 
insidesniffer A probe attack in which the attacker gains access to the physical network and adds a host that is then used to sniff network traffic, perhaps allowing for the collection of passwords, or other data from any traffic flowing on that network/segment. The attack can be carried out in a stealthy manner, in which dns lookups are disabled, and a clear manner in which the sniffer used dns to resolve names of ips as it sniffs them.
ipsweep Surveillance sweep performing either a port sweep or ping on multiple host addresses. 
land Denial of service where a remote host is sent a UDP packet with the same source and destination.
ls_domain A probe attack in which the attacker uses "nslookup", setting the server to the victim's dns server, to list all hosts/ips within that domainname. This attack may be followed by a probe of all of these ips/hosts.
loadmodule Non-stealthy loadmodule attack which resets IFS for a normal user and creates a root shell.
mailbomb A Denial of Service attack where we send the mailserver many large messages for delivery in order to slow it down, perhaps effectively halting normal operation.
ncftp An R2L attack which exploits a bug in a particular version of ncftp, the popular ftp client. The a user on the victim host ftp's to the attackers machine, and attempts to download, recursively, a directory. Contained in the directory is directory with a very long name, embedded in the name is one or more commands that are then executed (un-intentionally) by the ftp client with the permissions of that user.
neptune Syn flood denial of service on one or more ports. 
netbus Remote-to-local (NT) attack with the potential to be a remote-to-root attack. The attacker must install the NetBus server on the victim's machine by either emailing a trojan horse to the victim or by sitting down at the victim's console. Once the serve is installed, the attacker can use the NetBus client remotely to do almost anything: upload/download files, run programs, etc. The attacker's access privileges are identical to the user currently logged on to the victim machine. So if an admin is using the victim, the attacker can run an adduser command to setup a new admin user => remote-to-root attack. Can also be used as a probe attack to scan IP addresses for NetBus servers.
netcat NetCat is a Remote to Local attack against NT. The attacker uses a trojan to install and run the netcat program on the victim machine on a specific port (53). Once netcat is running, it acts as a backdoor. The attacker can remotely access the machine through the netcat port without a username or password.
nmap Network mapping using the nmap tool. Mode of exploring network will vary—options include SYN.
ntfsdos A R2L/Data attack in which the attacker gains access to the console of a WinNT machine and boots the machine off of a floppy disk. The floppy contains a program (ntfsdos) which mounts the machines diskdrives but with out the NT access protections.. thus the attacker can (and does) copy secret files on the floppy. The machine is then rebooted to normal.
ntinfoscan A process by which the attacker scans an NT machine for information concerning its configuration, including ftp services, telnet services, web services,  system account information, file systems and permissions.
perlmagic Perl attack which sets the user id to root in a perl script and creates a root shell 
phf Exploitable CGI script which allows a client to execute arbitrary commands on a machine with a misconfigured web server. 
pod Denial of service ping of death 
portsweep Surveillance sweep through many ports to determine which services are supported on a single host. 
ppmacro This Remote to Local attack uses a trojan PowerPoint macro to read secret files. This attack is based on a particular scenario. The victim user usually receives PowerPoint templates from an outside source via email attachment. He runs a built-in macro which inserts a graph displaying web statistics, saves the presentation as a ppt file, and posts it on the web.
ps Ps takes advantage of a racecondition in the ps command in Sol. 2.5, allowing a user to gain root access.
queso A probe that consist of 7 packets, whose purpose is to identify the operating system and version of a particular host. It can be run successfully against many different host types.
resetscan ResetScan sends reset packets to a list of IP addresses in a subnet to determine which machines are active. If there is no response to the reset packet, the machine is alive. If a router or gateway responds with "host unreachable," the machine does not exist.
rootkit Multi-day scenario where a user installs one or more components of a rootkit 
satan Network probing tool which looks for well-known weaknesses. Operates at three different levels. Level 0 is light.
sechole The attacker logs on to the NT machine as a normal user. He then runs the secHole program which manipulates an API function and executes a DLL which adds the user to the administrator group. The attacker may have to reboot is the system locks up.
secret A data attack in which either a valid user access the "secret" (/home/secret/*) data in a manner not in accordance with the security policy, or an attacker, or invalid user, accesses the data at all. This is described in more detail in the security policy for the 1999 Offline Evaluation.
selfping A denial of service attack in which a local user on a Solaris 2.5.1 machine can ping the localhost in such a way as to case the machine to crash and subsequently reboot.
sendmail The Sendmail attack exploits a buffer overflow in version 8.8.3 of sendmail and allows a remote attacker to execute commands with superuser privileges. By sending a carefully crafted email message to a system running a vulnerable version of sendmail, intruders can force sendmail to execute arbitrary commands with root privilege.
smurf Denial of service icmp echo reply flood. 
sqlattack A U2R attack where a user makes a TCP connection with the sql database server on the linux machine, issues a special escape sequence to exit the database shell, then enters and runs the perlmagic script to obtain a root shell.
sshprocesstable A denial of service very similar to the standard "processtable" attack, but directed against the sshd server daemon. The goal is to get ssh to cease to be able to spawn children to handle incoming ssh requests.
sshtrojan An r2l attack where the attacker tricks a system administrator into installing a trojan version of the sshd server which has a back door embedded into the binary. Subsequent instances of the sshtrojan attack involve exercising this backdoor.
syslog Denial of service for the syslog service connects to port 514 with unresolvable source ip.
tcpreset A Denial of Service where the attacker, generally sitting on the same subnet as the victim, resets any tcp connections that it sees go through the handshake phase with the victim. To do this it spoofs the victims ip on the reset packets.
teardrop Denial of service where mis-fragmented UDP packets cause some systems to reboot. 
warez User logs into anonymous FTP site and creates a hidden directory. 
warezclient Users downloading illegal software which was previously posted via anonymous FTP by the warezmaster. 
warezmaster Anonymous FTP upload of Warez (usually illegal copies of copywrited software) onto FTP server.
yaga User-to-root attack creates a new user in the Administrators group by hacking the registry. The attacker edits the victim's registry so that the next time a system service crashes on the victim, a new admin user is setup. To setup the attack, the attacker must put 3 files on the victim machine: a file containing the new user info, a file with the registry edit info, and a batch file to setup the new user. The attacker must also edit the registry. All this can be done via a telnet session or by physically accessing the victim machine. Once the setup is complete, the attacker can remotely crash a service on the victim machine (using crashIIS for example) to setup the new admin user.


top of page