DARPA Intrusion Detection Evaluation
Stealthy Attacks
This is a description of all of the stealthy user-to-root attacks used in the evaluation. Each stealthy user-to-root attack consists of 6 stages:
- Encoding: how the attack is packaged/encrypted
- Transport: how the attack gets to the victim machine
- Decoding: how the attack is unpackaged/decrypted
- Execution: how the exploit is run
- Actions: what actions the attacker performs after running the exploit
- Cleanup: how the attacker cleans up after himself
For the listfile entries of each attack as well as a more detailed description of what happened and why it was stealthy, follow the link of the ID number of an attack.
For a brief description of how a particular exploit works, follow the link of the attack name.
The attacks with the dark grey background failed and participants were not scored on them. However, they are included to show the spectrum of stealthy attacks that are possible. False Alarms incurred by intrusion detection systems due to artifacts of these failed attacks were marked and ignored in the 1999 Evaluation scoring procedure.
| ID # | Name | Dest. | Encoding | Transport | Decoding | Execution | Actions | Cleanup |
| 41.084031 | ps | 172.16. 112.50 |
tar; scripts | web (netscape) | tar; compile exploits | shell script runs 3 exploits | chmod secret file. cat secret file to screen | shell script runs 3 exploits to restore permissions; removes files |
| 42.104107 | loadmodule | 172.16. 113.50 |
- | vi | - | use of shell variables to mask commands in script | append to a secret file | removes files |
| 43.083229 | eject | 172.16. 112.50 |
octal character representation of binaries | ftp | echo -n | SSH. 1st session decodes; 2nd session runs 2 exploits | chmod and add line to /etc/hosts | restore permissions on /etc/hosts; remove files |
| 43.103931 | fdformat | 172.16. 112.50 |
binary (named ls) | floppy | - | ran exploit from floppy | cat /etc/passwd and /etc/hosts.equiv to screen | - |
| 51.103907 | fdformat | 172.16. 112.50 |
octal character representation of binaries | ftp | echo -n | SSH. 1st session decodes; 2nd session runs 2 exploits | chmod elmoc's .cshrc file; edit it to copy secret file when he logs in | restore permisssions on elmoc's .cshrc; remove exploits |
| 51.120309 | loadmodule | 172.16. 113.50 |
- | vi | - | generate junk output in background by running ls; file globbing; command history; shell variables execute script | rm abramh's home dir | remove files |
| 52.112045 | ps | 172.16. 112.50 |
tar; scripts | web (netscape) | tar; compile exploits | at job; shell script runs 3 exploits | chmod and copy secret file to user's home dir | shell script runs 3 exploits to restore permissions; removes files |
| 52.125501 | eject | 172.16. 112.50 |
binaries | ftp | - | shell script runs 1exploit | chmod /etc/shadow; mail /etc/shadow | shell script runs 1 exploit to restore permissions; removes files |
| 53.133203 | perl | 172.16. 114.50 |
text encrypted with AB b/t characters | vi | perl | shell script to run commands | erase a file in /home/geoffp | remove files |
| 53.155432 | ffbconfig | 172.16. 112.50 |
uuencode; tar; binaries | uudecode; tar |
use of shell variables to run 1 exploit | chmod avrap's home dir; removes a file | shell script runs 1 exploit to restore permissions; removes files | |
| 53.175720 | ffbconfig | 172.16. 112.50 |
uuencode; tar; binaries | uudecode; tar | SSH. Shell script to run 1 exploit | copy /etc/shadow to lanaa's home dir | shell script runs 1 exploit to restore permissions; removes files | |
| 54.082003 | ps | 172.16. 112.50 |
binary | floppy | - | copied exploit onto machine; compiled exploit; ran it | copied /etc/shadow to user's home dir | - |
| 55.123412 | sqlattack | 172.16. 114.50 |
text encrypted with XX b/t characters | vi | perl | shell script to run commands | deleted files in /home/tristank/ working/ |
top of page