DARPA Intrusion Detection Evaluation
Short Attack Descriptions
1999 DARPA Intrusion Detection Evaluation
| anypw | AnyPW is a Console User to Root attack that allows the attacker to logon to the system without a password. A boot disk is used to modify the NT authentication package so that a valid username can login with any password string. Logins via telnet also work with any password. |
| arppoision | An arp-level denial of service, where the attacker sends out bogus responses to "arp-who-has" requests for the victims mac address. In order to carry out this attack, the attacker must gain access on a machine on the victim's subnet, so it often involves a remote attacker logging into a local machine, then running the attack against another machine (the victim). |
| back | Denial of service attack against apache webserver where a client requests a URL containing many backslashes. |
| cassen | CaseSen is a User to Root attack that exploits the case sensitivity of the NT object directory. The attacker ftps three attack files to the victim: soundedt.exe, editwavs.exe, psxss.exe (the names of the files were chosen to make the attack more stealthy). The attacker then telnets to the victim and runs soundedt.exe. A new object is created in the NT object directory called \??\c: which links to the directory containing the attack files. A posix application is started activating the trojan attack file, psxss.exe, which results in the logged in user being added to the Administrators user group. |
| crashiis | A single, malformed http request causes the webserver to crash. |
| dict | Guess passwords for a valid user using simple variants of the account name over a telnet connection. |
| dosnuke | DoSNuke is a Denial of Service attack that sends Out Of Band data (MSG_OOB) to port 139 (NetBIOS), crashing the NT victim (bluescreens the machine). |
| eject | Buffer overflow using eject program on Solaris. Leads to a user->root transition if successful. |
| framespoofer | Data attack where the attacker sends a fake email to the victim directing the victim to a tru sted web site. When the user clicks on the link in the email it actually links to a javascript which brings up the trust ed web site but then inserts a malicious web page into one of its frames. The URL displayed in the browser remains unchanged.' |
| ffb | Buffer overflow using the ffbconfig UNIX system command leads to root shell |
| format | Buffer overflow using the fdformat UNIX system command leads to root shell |
| ftp-write | Remote FTP user creates .rhost file in world writable anonymous FTP directory and obtains local login. |
| guest | Try to guess password via telnet for guest account. |
| httptunnel | There are two phases to this attack: Setup — a web "client" is setup on the machine being attacked, which is configured, perhaps via crontab, to periodically make requests of a "server" running on a non-privilaeged port on the attacking machine. Action — When the periodic requests are received, the server encapsulates commands to be run by the "client" in a cookie.. things like "cat /etc/passwd".. etc.. |
| imap | Remote buffer overflow using imap port leads to root shell |
| insidesniffer | A probe attack in which the attacker gains access to the physical network and adds a host that is then used to sniff network traffic, perhaps allowing for the collection of passwords, or other data from any traffic flowing on that network/segment. The attack can be carried out in a stealthy manner, in which dns lookups are disabled, and a clear manner in which the sniffer used dns to resolve names of ips as it sniffs them. |
| ipsweep | Surveillance sweep performing either a port sweep or ping on multiple host addresses. |
| land | Denial of service where a remote host is sent a UDP packet with the same source and destination. |
| ls_domain | A probe attack in which the attacker uses "nslookup", setting the server to the victim's dns server, to list all hosts/ips within that domainname. This attack may be followed by a probe of all of these ips/hosts. |
| loadmodule | Non-stealthy loadmodule attack which resets IFS for a normal user and creates a root shell. |
| mailbomb | A Denial of Service attack where we send the mailserver many large messages for delivery in order to slow it down, perhaps effectively halting normal operation. |
| ncftp | An R2L attack which exploits a bug in a particular version of ncftp, the popular ftp client. The a user on the victim host ftp's to the attackers machine, and attempts to download, recursively, a directory. Contained in the directory is directory with a very long name, embedded in the name is one or more commands that are then executed (un-intentionally) by the ftp client with the permissions of that user. |
| neptune | Syn flood denial of service on one or more ports. |
| netbus | Remote-to-local (NT) attack with the potential to be a remote-to-root attack. The attacker must install the NetBus server on the victim's machine by either emailing a trojan horse to the victim or by sitting down at the victim's console. Once the serve is installed, the attacker can use the NetBus client remotely to do almost anything: upload/download files, run programs, etc. The attacker's access privileges are identical to the user currently logged on to the victim machine. So if an admin is using the victim, the attacker can run an adduser command to setup a new admin user => remote-to-root attack. Can also be used as a probe attack to scan IP addresses for NetBus servers. |
| netcat | NetCat is a Remote to Local attack against NT. The attacker uses a trojan to install and run the netcat program on the victim machine on a specific port (53). Once netcat is running, it acts as a backdoor. The attacker can remotely access the machine through the netcat port without a username or password. |
| nmap | Network mapping using the nmap tool. Mode of exploring network will vary—options include SYN. |
| ntfsdos | A R2L/Data attack in which the attacker gains access to the console of a WinNT machine and boots the machine off of a floppy disk. The floppy contains a program (ntfsdos) which mounts the machines diskdrives but with out the NT access protections.. thus the attacker can (and does) copy secret files on the floppy. The machine is then rebooted to normal. |
| ntinfoscan | A process by which the attacker scans an NT machine for information concerning its configuration, including ftp services, telnet services, web services, system account information, file systems and permissions. |
| perlmagic | Perl attack which sets the user id to root in a perl script and creates a root shell |
| phf | Exploitable CGI script which allows a client to execute arbitrary commands on a machine with a misconfigured web server. |
| pod | Denial of service ping of death |
| portsweep | Surveillance sweep through many ports to determine which services are supported on a single host. |
| ppmacro | This Remote to Local attack uses a trojan PowerPoint macro to read secret files. This attack is based on a particular scenario. The victim user usually receives PowerPoint templates from an outside source via email attachment. He runs a built-in macro which inserts a graph displaying web statistics, saves the presentation as a ppt file, and posts it on the web. |
| ps | Ps takes advantage of a racecondition in the ps command in Sol. 2.5, allowing a user to gain root access. |
| queso | A probe that consist of 7 packets, whose purpose is to identify the operating system and version of a particular host. It can be run successfully against many different host types. |
| resetscan | ResetScan sends reset packets to a list of IP addresses in a subnet to determine which machines are active. If there is no response to the reset packet, the machine is alive. If a router or gateway responds with "host unreachable," the machine does not exist. |
| rootkit | Multi-day scenario where a user installs one or more components of a rootkit |
| satan | Network probing tool which looks for well-known weaknesses. Operates at three different levels. Level 0 is light. |
| sechole | The attacker logs on to the NT machine as a normal user. He then runs the secHole program which manipulates an API function and executes a DLL which adds the user to the administrator group. The attacker may have to reboot is the system locks up. |
| secret | A data attack in which either a valid user access the "secret" (/home/secret/*) data in a manner not in accordance with the security policy, or an attacker, or invalid user, accesses the data at all. This is described in more detail in the security policy for the 1999 Offline Evaluation. |
| selfping | A denial of service attack in which a local user on a Solaris 2.5.1 machine can ping the localhost in such a way as to case the machine to crash and subsequently reboot. |
| sendmail | The Sendmail attack exploits a buffer overflow in version 8.8.3 of sendmail and allows a remote attacker to execute commands with superuser privileges. By sending a carefully crafted email message to a system running a vulnerable version of sendmail, intruders can force sendmail to execute arbitrary commands with root privilege. |
| smurf | Denial of service icmp echo reply flood. |
| sqlattack | A U2R attack where a user makes a TCP connection with the sql database server on the linux machine, issues a special escape sequence to exit the database shell, then enters and runs the perlmagic script to obtain a root shell. |
| sshprocesstable | A denial of service very similar to the standard "processtable" attack, but directed against the sshd server daemon. The goal is to get ssh to cease to be able to spawn children to handle incoming ssh requests. |
| sshtrojan | An r2l attack where the attacker tricks a system administrator into installing a trojan version of the sshd server which has a back door embedded into the binary. Subsequent instances of the sshtrojan attack involve exercising this backdoor. |
| syslog | Denial of service for the syslog service connects to port 514 with unresolvable source ip. |
| tcpreset | A Denial of Service where the attacker, generally sitting on the same subnet as the victim, resets any tcp connections that it sees go through the handshake phase with the victim. To do this it spoofs the victims ip on the reset packets. |
| teardrop | Denial of service where mis-fragmented UDP packets cause some systems to reboot. |
| warez | User logs into anonymous FTP site and creates a hidden directory. |
| warezclient | Users downloading illegal software which was previously posted via anonymous FTP by the warezmaster. |
| warezmaster | Anonymous FTP upload of Warez (usually illegal copies of copywrited software) onto FTP server. |
| yaga | User-to-root attack creates a new user in the Administrators group by hacking the registry. The attacker edits the victim's registry so that the next time a system service crashes on the victim, a new admin user is setup. To setup the attack, the attacker must put 3 files on the victim machine: a file containing the new user info, a file with the registry edit info, and a batch file to setup the new user. The attacker must also edit the registry. All this can be done via a telnet session or by physically accessing the victim machine. Once the setup is complete, the attacker can remotely crash a service on the victim machine (using crashIIS for example) to setup the new admin user. |
top of page