Guest User

Untitled

a guest
Jun 7th, 2011
2,566
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ~Fox: So, todays class, is to bring you low-life shitbirds out of the 4chan dregs of the Low Orbit Ion Cannon
  2. [18:32:02] ~Fox: the internet equivalent of shaking your dick at someone.
  3. [18:32:12] MrBlue (~MrBlue@LulzCo-D0CBE354.ias.bredband.telia.com) joined the channel.
  4. [18:32:29] ~Fox: Hopefully by the end of this class you will have attained the knowledge to turn your dick into a godzilla like wrecking ball of destruction.
  5. [18:32:42] %LordKitsuna: XD fox have i ever said how much i love the way you talk
  6. [18:32:58] ~Fox: So before I see a mass spam of PMs for "AMG WHATS THIS" blah blah blah
  7. [18:33:03] ~Fox: I'm gonna teach you the basics.
  8. [18:33:39] ~Fox: Distributed Denial of Service is the act of taking an internet connection down by an overwhelming amount of information being thrown at the box.
  9. [18:33:44] ~Fox: This can be one packet.
  10. [18:33:49] ~Fox: Or It can be billions.
  11. [18:33:55] ~Fox: * Denial of Service
  12. [18:34:06] ~Fox: As long as the host is down, that's all that matters.
  13. [18:34:25] ~Fox: Distributed obviously speaks for itself in the fact that multiple assets are used in order to take a target down.
  14. [18:34:35] Gralon (~ho@LulzCo-F12D6B72.ip.telfort.nl) left IRC. (Ping timeout: 240 seconds)
  15. [18:34:35] ~Fox: Now lets move on to the basics of types of attacks.
  16. [18:34:49] ~Fox: Syn Flood.
  17. [18:35:46] ~Fox: A syn flood is a shitload of TCP/SYN packets with forged sender addresses these are handled by the target as an incoming connection request which causes the server to open a connection with out reciept
  18. [18:36:12] atriox (~dicks@LulzCo-99D4CD75.tcso.qwest.net) left IRC. (Ping timeout: 240 seconds)
  19. [18:36:20] ~Fox: The victim will send out a TCP/SYN-ACK and wait for a response that will never come
  20. [18:36:36] ~Fox: So essentially lets say we have a 10mb pipe right?
  21. [18:37:46] ~Fox: Lets say that pipe can keep 1,000,000 connections open at a given time
  22. [18:37:59] ~Fox: We have 1,000 computers doing 1,000 connections
  23. [18:38:02] ~Fox: Do the math.
  24. [18:38:10] ~Fox: Side note for added Lulz:
  25. [18:38:23] +darkspline: are those accurate metrics Fox?
  26. [18:38:28] ~Fox: Vaguely.
  27. [18:38:30] +darkspline: k
  28. [18:38:33] ~Fox: You know when it's fucking down
  29. [18:38:53] ~Fox: but guesstimated, yeah a 1,000 bot net will rock the fuck out of any home connection
  30. [18:38:56] ~Fox: Unless you suck dick.
  31. [18:39:10] %eax: unless your bot sucks dick
  32. [18:39:17] ~Fox: LIST OF AWESOME IP ADDRESSES TO SPOOF FROM: http://www.uaff.info/militarytracking.htm
  33. [18:39:23] +YaHMan: or they are rich and pay for 1gbps line?
  34. [18:39:37] ~Fox: YaHMan I've lived a lot of places, 1gbps is rare.
  35. [18:39:39] ~Fox: Anyways.
  36. [18:39:45] rj (~rj@LulzCo-D9D2F7FF.shadowbots.com) left IRC. (Ping timeout: 240 seconds)
  37. [18:39:47] +YaHMan: true.
  38. [18:40:03] ~Fox: Moving along to ICMP floods.
  39. [18:40:04] %LordKitsuna: Fox, what is used to say how many connections the pipe can take? the pipe itself or the equitment on the other end, my router says it has a (theoretical) max of 160,000
  40. [18:40:24] +AnalTouring: LordKitsuna: that doesn't matter for SYN.
  41. [18:40:32] ~Fox: +1 analtouring
  42. [18:40:35] +AnalTouring: LordKitsuna: only the amounth of 60 byte packets you can send a second does.
  43. [18:40:50] +AnalTouring: Now, why those military ranges should be the source adress.
  44. [18:40:59] +AnalTouring: The server replies to a SYN packet with an ACK Packet remember?
  45. [18:41:12] +AnalTouring: It sends the ACK Packet to the source adress: it DDOS's the FBI.
  46. [18:41:18] +AnalTouring: Meaning the server owner gets v&.
  47. [18:41:49] hate (~user@LulzCo-706F91F1.formlessnetworking.net) joined the channel.
  48. [18:42:06] +YaHMan: Does this method work for all servers(providing you have the bw)?
  49. [18:42:13] +AnalTouring: YaHMan: yes.
  50. [18:42:17] +YaHMan: k thx.
  51. [18:42:49] ~Fox: ICMP floods are something that someone I dont know who asked about
  52. [18:43:04] ~Fox: there are other variations that if memory serves me are dead and gone,
  53. [18:43:18] ~Fox: but ICMP is essentially a simple 'ping ' flood.
  54. [18:43:26] +darkspline: there are always new ones though
  55. [18:43:40] ~Fox: There are always new ones but Ping of Death don't really apply now does it.
  56. [18:43:48] ~Fox: TearDrop either.
  57. [18:44:52] Fox kicked darkspline from the channel. (nigga what you know about DDOS.)
  58. [18:45:00] ~Fox: Anyways.
  59. [18:45:13] +t: icmp is generally the most common because its in most of the public bots that most of the skids use and also is one of the easier ones to stop because without custom coding it cannot be spoofed
  60. [18:45:34] darkspline (~darksplin@LulzCo-E5B1D91D.dyn.optonline.net) joined the channel.
  61. [18:45:41] +t: so you can just tell your router to drop the packets
  62. [18:46:06] ~Fox: +t. Wrong. ICMP floods by a competent network administrator can be blocked fairly easily.
  63. [18:46:25] +t: thats what i said
  64. [18:46:30] +t: is one of the easier ones to stop
  65. [18:46:46] ~Fox: ^^ router
  66. [18:47:00] ~Fox: I'm talking iptables and a bash script
  67. [18:47:17] +t: mmmhhmmm
  68. [18:47:26] ~Fox: In a DC environment you most likely won't have that luxury of being able to write your own router rulesets.
  69. [18:47:32] ~Fox: Anyways moving along down the line.
  70. [18:47:55] ~Fox: Moving on to definitions for DDOS.
  71. [18:48:01] ~Fox: Command and Control.
  72. [18:48:10] %eax: fox: forgot udp
  73. [18:48:20] +AnalTouring: eax: stfu
  74. [18:48:37] +AnalTouring: eax: i could name 20 more ddos methods that noobs dont need.
  75. [18:48:38] ~Fox: EAX I'll backtrack, niggers been interrupting and i'm fucking losing my little bit of organization.
  76. [18:49:01] Fox sets mode +h AnalTouring
  77. [18:49:02] ~Fox: Lol
  78. [18:49:06] ~Fox: I like that kid.
  79. [18:49:18] %eax: i like him too. anyways continue
  80. [18:49:20] MercWithTheMouth (~classvoid@LulzCo-D45C8D5B.hsd1.pa.comcast.net) left IRC. (Ping timeout: 240 seconds)
  81. [18:49:23] ~Fox: Once again, cardinal fucking rule
  82. [18:49:37] ~Fox: If you think I missed something, google it you lousy piece of shit, am I supposed to hand you everything?
  83. [18:49:38] ~Fox: Fuck.
  84. [18:49:47] +z3rod4ta: lol
  85. [18:49:54] %srwx: anyone got a wiki
  86. [18:49:57] Fox kicked z3rod4ta from the channel. (I know I'm funny.)
  87. [18:49:58] %srwx: that i can post in?
  88. [18:50:06] Fox kicked srwx from the channel. (Fuck you shut up asshat.)
  89. [18:50:12] ~Fox: ....
  90. [18:50:15] ~Fox: Anyone fucking else.
  91. [18:50:20] @garrett: y u so mad
  92. [18:50:37] ~Fox: Not :3
  93. [18:50:47] ~Fox: Anyways
  94. [18:50:47] z3rod4ta (~zerodata@LulzCo-E5943094.hsd1.ma.comcast.net) joined the channel.
  95. [18:50:51] ~Fox: COMMAND AND CONTROL.
  96. [18:51:05] ~Fox: This is the method in which you provide commands out to the 'nodes' within your network
  97. [18:51:15] ~Fox: Bots
  98. [18:51:32] %AnalTouring: (which you dont have, otherwise you wouldnt be here).
  99. [18:51:53] ~Fox: Boats, Nodes, Shells, Zombies, Drones, whatever. They're your soldiers. They are the weight to your big swinging dick.
  100. [18:52:06] ~Fox: (which obviously makes your internet dick a small little asian nothing.)
  101. [18:52:44] ~Fox: AnalTouring can you roll for a second
  102. [18:52:47] ~Fox: Grabbing a cigarette
  103. [18:53:08] %AnalTouring: Bots are computers that you owned trough exploits or other means, or that other people gave to you to control.
  104. [18:53:39] %AnalTouring: These boxes can be used to send shit over the internet.
  105. [18:53:41] srwx (~zach@LulzCo-C17AE2F0.wks.liquidweb.com) joined the channel.
  106. [18:53:52] %AnalTouring: Imagine there's a dude you want to troll. you start shouting over his phone.
  107. [18:53:57] %AnalTouring: it doesn't work, you're shit out of luck.
  108. [18:54:08] %AnalTouring: now imagine a hundred people that you coerced into shouting at him around you.
  109. [18:54:14] %AnalTouring: DDOS with a botnet is kind of like that.
  110. [18:54:26] %AnalTouring: just a bunch more computers shouting at the server.
  111. [18:54:41] %AnalTouring: Everyone follow up till now?
  112. [18:54:52] +YaHMan: which is better. Lots of small nodes with low bw or a reasonable amount of nodes with huge bandwidth like servers and shit?
  113. [18:55:02] %AnalTouring: Small nodes, tons of them.
  114. [18:55:16] %AnalTouring: Because shutting down a node is relatively easy if it's a large (say .gov or .edu) domain.
  115. [18:55:29] %AnalTouring: 'cause admins of big sites don't want you to hax them.
  116. [18:55:42] %AnalTouring: it's kind of like the little kid trying to bully the big kid into doing shit for him.
  117. [18:55:52] %AnalTouring: and then zangief.jpg happens.
  118. [18:55:59] %LordKitsuna: stupid question, is it possible to take control of network nodes.. like the ones cable providers use to give service to people (those big fukkers buried in the ground)
  119. [18:56:13] %AnalTouring: Yes, technicall, tough not advisable
  120. [18:56:17] %AnalTouring: *technically.
  121. [18:56:24] %AnalTouring: and since you're in here, no fucking chance for you.
  122. [18:56:52] %AnalTouring: So, who of you are still awake?
  123. [18:56:58] YaHMan
  124. [18:57:00] +Shidash: I am
  125. [18:57:06] %eax: software you use is also important. almost any software out there currently is bug riddened and garbage
  126. [18:57:15] %AnalTouring: eax: later.
  127. [18:57:29] %eax: k
  128. [18:57:35] %AnalTouring: So, you now realize that you have to shout harder than the legit traffic to the server.
  129. [18:57:49] +t: you also have to watch what nodes you have for instance if you are hacking your "school" and it has 300 computers on it its not smart having all ov the computers send out 2gigs worth of data your gonna ddos the enternal network before it even gets to the target
  130. [18:58:04] %AnalTouring: Remember the SYN attack, where you could spoof the source adress?
  131. [18:58:14] Fox sets mode -v t
  132. [18:58:46] %AnalTouring: Ok, now if you spoof the source adress, the server thinks a packet is from ANOTHER host than it's actually sent from.
  133. [18:58:56] %AnalTouring: There is ONE MAJOR POINT i have to make about this so LISTEN THE FUCK UP.
  134. [18:59:08] %AnalTouring: do NOT TRY THIS BEHIND A ROUTER. CHECK IF YOUR ISP allows spoofing.
  135. [18:59:22] %AnalTouring: Because otherwise this WILL NOT WORK and you WILL BE V&.
  136. [18:59:31] %AnalTouring: (most isps allow spoofing)
  137. [18:59:34] ~Fox: VANNED = ARRESTED.
  138. [18:59:45] %AnalTouring: So, check if you have a router in your cabinet, if you do, spoofing will not work
  139. [19:00:04] +YaHMan: Is there anyway of turning it off in routers? like custom firmware?
  140. [19:00:11] %AnalTouring: no.
  141. [19:00:15] +YaHMan: kk
  142. [19:00:23] %LordKitsuna: another stupid question: what happens if you spoof your address to the address of the target? how does the target respond?
  143. [19:00:25] %AnalTouring: It's nat OR ip adress translation that does this.
  144. [19:00:40] %AnalTouring: LordKitsuna: not effective, it'd send it locally.
  145. [19:01:05] %AnalTouring: Like pinging 127.0.0.1, really fast, but does shit all for wasting bandwidth.
  146. [19:01:19] %AnalTouring: Ok, to see if you are BEHIND a NAT, go to start=>run=>type cmd and hit enter
  147. [19:01:22] %AnalTouring: you now see a black screen.
  148. [19:01:26] %AnalTouring: type ifconfig.
  149. [19:01:39] %AnalTouring: if your IP is in the 192.168.0.xxx range, congratulations, you have a router.
  150. [19:01:48] %AnalTouring: (thus cant do this shit).
  151. [19:01:50] ~Fox: And you are a complete faggot for not knowing this.
  152. [19:02:02] %AnalTouring: Now, everyone follow?
  153. [19:02:04] %eax: ipconfig*
  154. [19:02:11] %LordKitsuna: dont mean to be to rude, but if you dont know you have a router idk if you should be in here
  155. [19:02:12] %AnalTouring: thnx eax.
  156. [19:02:24] %AnalTouring: LordKitsuna: probably not, but this is damn important
  157. [19:02:52] %AnalTouring: Ok, i'll assume everyone followed up till here.
  158. [19:02:52] %LordKitsuna: true
  159. [19:03:08] notacop_honest (~amnesia@2310E577.8E384C6C.DD213F82.IP) joined the channel.
  160. [19:03:12] %AnalTouring: Now you can send packets, or SAY SHIT to a server, and it thinks it's from another server, comprendre?
  161. [19:03:14] Fox sets mode +v bizzylulz
  162. [19:03:30] +Shidash: yes
  163. [19:03:32] %AnalTouring: Now there are servers out there, that will reply with a BIGGER Message than you sent to it.
  164. [19:03:43] +YaHMan: DNS servers?
  165. [19:03:49] %AnalTouring: Exactly.
  166. [19:04:00] %AnalTouring: That bigger message of course consumes more bandwidth.
  167. [19:04:06] %AnalTouring: Which is what you're trying to achieve, remember?
  168. [19:04:50] %AnalTouring: Ok, so you have a DNS server, which is a server that resolves website adresses to a computer adress.
  169. [19:05:15] %AnalTouring: If it is recursive (there are tools to check this, GOOGLE IT FAGGOT), it is easy to get a much bigger reply from it than the packet you sent.
  170. [19:05:20] %AnalTouring: this multiplication factor is up to 60 times.
  171. [19:05:24] %AnalTouring: making you re-penis 60 times bigger.
  172. [19:05:29] %AnalTouring: HOW DOES THAT SOUND TO YOU?
  173. [19:05:37] +i0dine: FANTASTIC
  174. [19:05:40] +YaHMan: l33t
  175. [19:05:51] %AnalTouring: Now: we have a server that sends huge packets back.
  176. [19:05:57] %AnalTouring: We have a way to spoof a source ip adress.
  177. [19:06:00] %AnalTouring: Let's combine the two.
  178. [19:06:09] %AnalTouring: We send a small packet to the server, with as source the IP of the server we want to DDOS.
  179. [19:06:20] %AnalTouring: BOOM 60* the traffic you send to it goes to the server.
  180. [19:06:29] %AnalTouring: Server pukes, craps it's guts out and dies
  181. [19:07:04] %AnalTouring: There is a tool for windows out there to do this, it's called DHN.zip, most of the versions are infected by th3j35t3r, so if you download it, COMPILE IT YOURSELF (and remove it's tor binary)
  182. [19:07:24] ElEzio (~ElEzio@LulzCo-204A77E4.torservers.net) joined the channel.
  183. [19:07:29] +YaHMan: could you use plain old dig on linux to do that?
  184. [19:07:48] %AnalTouring: Yup.
  185. [19:07:59] %AnalTouring: There's a fuckton of tools on linux to do that.
  186. [19:08:02] %AnalTouring: And it's fucking easy.
  187. [19:08:10] %AnalTouring: But if you use linux, you'll probably know by now how to do this.
  188. [19:08:47] %AnalTouring: Also, my keyboard is dieing.
  189. [19:09:19] %AnalTouring: Now, everyone know how to compile DHN?
  190. [19:10:13] %AnalTouring: anyone still here?
  191. [19:10:17] +curi0us: no but i bet google does
  192. [19:10:20] +YaHMan: yea soz
  193. [19:10:25] eax doesnt have the source so meh
  194. [19:10:27] ~Fox: AnalTouring most are not voiced.
  195. [19:10:36] %AnalTouring: ok.
  196. [19:10:52] %AnalTouring: KEYBOARD IS RLY NEARLY DED.
  197. [19:10:56] +i0dine: I was just gunna refer to google if i found myself at a loss too : /
  198. [19:10:58] %AnalTouring: so if i stop typing, take over.
  199. [19:11:31] %AnalTouring: Ok, just go to 711chan/i/, download DHN from there if you're not sure.
  200. [19:11:38] %AnalTouring: the oldest post of DHN there is safe.
  201. [19:11:45] %AnalTouring: but ONLY THE OLDEST POST there.
  202. [19:12:28] %AnalTouring: DHN will do SYN and DNS SPOOFIN'.
  203. [19:13:05] %AnalTouring: Now that we've covered the most difficult basics, there's two more ways of ddosing that you need to know.
  204. [19:13:09] %AnalTouring: both are BEST DONE OVER TOR.
  205. [19:13:13] %AnalTouring: note that down.
  206. [19:13:22] %AnalTouring: #1: slowloris.
  207. [19:13:35] %AnalTouring: Slowloris is basically a mongloid talking to the server REALLY_SLOWLY.
  208. [19:13:48] %AnalTouring: Because it talks really fucking slowly, you can consume a ton of connections before it senses you're a mongloid.
  209. [19:14:03] %AnalTouring: Because it talks so slowly, it consumes little bandwidth.
  210. [19:14:15] %AnalTouring: Because it consumes so little bandwidth, you can use it over TOR.
  211. [19:14:20] %AnalTouring: everyone got that?
  212. [19:14:33] +YaHMan: ye
  213. [19:14:54] %AnalTouring: Ok, now just google slowloris and find yourself a version.
  214. [19:15:05] %AnalTouring: I think it originally came from ha.ckers? (might have been sla.ckers).
  215. [19:15:26] %AnalTouring: anyways. important option for ddos #2: consuming server CPU.
  216. [19:15:28] %eax: ha.ckers
  217. [19:15:33] %eax: google "slowloris.pl"
  218. [19:15:40] %AnalTouring: the cpu is like a hamster. you make it run fast enough, it shits itself and dies.
  219. [19:15:52] %AnalTouring: searches consume lots of cpu.
  220. [19:16:04] %AnalTouring: sometimes you can use SQLI or other techniques, and get a database timeout.
  221. [19:16:18] %AnalTouring: THOSE TIMEOUTS CAN SPELL THE DEATH OF A SERVER IF YOU HAVE A MILLION NIGGERS DOING THEM.
  222. [19:16:28] %AnalTouring: this is also best done over TOR. (or your chinese botnet)
  223. [19:16:42] %AnalTouring: basically, that's how you ddos servers.
  224. [19:17:01] %AnalTouring: syn, dns spoofing, slowloris or attacking the database.
  225. [19:18:00] %AnalTouring:
  226. [19:18:06] %AnalTouring: so, sumnmary: dns spoof if you can.
  227. [19:18:06] +YaHMan: would attacking the nameservers achieve much?
  228. [19:18:17] %AnalTouring: YaHMan: depends on the network, most of the times no.
  229. [19:18:34] +YaHMan: k
  230. [19:18:47] %AnalTouring: So, now that you have a bigger e-penis, you're eager to fuck something in the ass.
  231. [19:18:54] %AnalTouring: remember your internet condoms kids (proxy, tor).
  232. [19:19:14] %AnalTouring: But what would you fuck in the ass? Obviously the easiest target. You're not going after the marathon runner are you?
  233. [19:20:00] %AnalTouring: The general idea is to google "sites by ip adress" or something simliar, get one of the search engines, see if there's more than one site on that server.
  234. [19:20:11] %AnalTouring: If yes: see if there's one with a CPU intensive search page.
  235. [19:20:35] ~Fox: Moment.
  236. [19:20:40] ~Fox: yougetsignal.com
  237. [19:20:43] %AnalTouring: If no: see if the company has a financial/database backend and ddos that (if you cant find it, dns spoof the frontend)
  238. [19:20:43] +i0dine: I manually searched and googled, but I can't find the file you're refering to "Your search - site:711chan.org DHN - did not match any documents." Anyone else find it? Also, when a search comes back with an sql timeout, it can most likely be taken down by distributing that search?
  239. [19:21:00] %AnalTouring: i0dine: yes.
  240. [19:21:07] +curi0us: i couldnt find it either
  241. [19:21:28] %AnalTouring: Fox: take over for a few seconds please.
  242. [19:21:31] ~Fox: Sure
  243. [19:21:33] %AnalTouring: i'll b back in a moment.
  244. [19:21:36] ~Fox: So anyways
  245. [19:21:41] ~Fox: Sites by IP address
  246. [19:21:48] ~Fox: lets say for instance that your target is fuckboy.com
  247. [19:21:56] ~Fox: right?
  248. [19:22:03] ~Fox: so what we're gonna do is ping fuckboy.com
  249. [19:22:06] AnalTouring (~Nigr0@alt.zionism) left IRC. (Remote host closed the connection)
  250. [19:22:09] eax sets mode +v str4d
  251. [19:22:32] ~Fox: Now
  252. [19:22:38] ~Fox: we get an ip of 1.2.3.4
  253. [19:22:50] ~Fox: now we're gonna put that into the yougetsignal page and get a return of:
  254. [19:22:52] ~Fox: fuckboy.com
  255. [19:22:58] ~Fox: BYATniggaz.com
  256. [19:23:05] eax sets mode +v zone
  257. [19:23:07] ~Fox: vuvuzelawhateverthefuckitscalled.com
  258. [19:23:14] +YaHMan: shared hosting?
  259. [19:23:17] ~Fox: and ohshitthissitewasREALLYpoorlycoded.com
  260. [19:23:42] ~Fox: That would indicated either a shared hosting environment, or a dedicated server depending on some of the hostnames found within that search.
  261. [19:23:55] dominus (deep@LulzCo-6D0FF491.dhcp.reno.nv.charter.com) joined the channel.
  262. [19:24:06] ~Fox: IF you're really trying to be crafty you can try and find out what blocks of IPs were assigned to that server.
  263. [19:24:29] ~Fox: Usually if you're finding a main IP you'll find it in sets of /28's-/24's
  264. [19:25:15] ~Fox: Anyways
  265. [19:25:17] AnalTouring (~Nigr0@alt.zionism) joined the channel.
  266. [19:25:26] ~Fox: moving along from this we find that ohshitthissitewasREALLYpoorlycoded.com
  267. [19:25:43] eax sets mode +v AnalTouring
  268. [19:25:58] ~Fox: has a vulnerability that we can use by sending our bots to: ohshitthissitewasREALLYpoorlycoded.com/search.php?q=OHFUCKDDOS%20OHFUCK
  269. [19:26:00] ~Fox: Right?
  270. [19:26:03] pRjck3vC (~qz5UMksT@88C5B530.CD918B2F.380801F2.IP) left IRC. (Remote host closed the connection)
  271. [19:26:13] Fox sets mode +h AnalTouring
  272. [19:26:15] %AnalTouring: Right.
  273. [19:26:21] pRjck3vC (~qz5UMksT@555E4E05.CD918B2F.380801F2.IP) joined the channel.
  274. [19:26:29] ~Fox: So at this point sending our bots to that address
  275. [19:26:36] ~Fox: would have the effect of a million nigger army.
  276. [19:27:01] ~Fox: Analtouring would you like to pick back up
  277. [19:27:51] ~Fox: Alright moving down the line
  278. [19:27:52] ElEzio (~ElEzio@LulzCo-204A77E4.torservers.net) left IRC. (Remote host closed the connection)
  279. [19:28:05] ~Fox: So we've sent our bots to that address and the host is down
  280. [19:28:17] ~Fox: since we've killed the connection that IP the box is DONE FOR
  281. [19:28:19] ~Fox: FUCK YEAH.
  282. [19:28:27] ~Fox: Wait... no it's not.
  283. [19:28:37] ~Fox: because it's not just ANY site, it's a round robin DNS.
  284. [19:29:15] ~Fox: So round robin DNS
  285. [19:29:26] ~Fox: is exactly what it sounds like if you're not a fuck-wit bitch boy.
  286. [19:29:44] %AnalTouring: http://forum.intern0t.net/perl-python/823-dns-amplification-attack-proof-concept.html dns amplify for linux.
  287. [19:29:57] ~Fox: Multiple servers handling DNS records for that site going to fail over boxes in the event that one is disabled.
  288. [19:30:04] ~Fox: So IE:
  289. [19:30:18] ~Fox: I take out DNS1 and DNS2 that point to Server 3
  290. [19:30:46] ~Fox: DNS1 and DNS2 had other records pointing to DNS 3 and DNS 4 in the event that DNS 1 and 2 aren't able to be talked to
  291. [19:30:54] ~Fox: DNS 3 and DNS 4 point to server 5.
  292. [19:31:16] ~Fox: This is a fairly complex setup but is a huge step in 'casing' a target before hitting it
  293. [19:32:02] ~Fox: Because at this point we'd have to test over server 5 and find a sure-fire way to ensure that both server 1 and server 5 are down at the same time making an effective distributed denial of service.
  294. [19:32:26] ~Fox: So now there is one more big-boy before we get into how you make yourself a net.
  295. [19:32:29] ~Fox: But before that
  296. [19:32:36] ~Fox: I'd really like to stress something to you kids.
  297. [19:32:57] ~Fox: DO NOT TAKE WHAT WE ARE TELLING YOU LIGHTLY
  298. [19:33:00] ~Fox: THIS IS NOT LOIC.
  299. [19:33:13] %AnalTouring: (and LOIC WILL GET YOU V&)
  300. [19:33:30] ~Fox: THIS IS THE DIGITAL EQUIVALENT OF SMASHING SOME FUCK IN THE NOSE WITH A MOSSBERG SHOTTY AND HOLDING THE GIRL AT GUNPOINT
  301. [19:33:39] ~Fox: This is digital shanghai.
  302. [19:33:53] +YaHMan: vpns are safe though right?
  303. [19:33:55] ~Fox: Don't fuck around here, this is stick-up boy shit. You will do the same time.
  304. [19:34:03] ~Fox: I'll get to that after we finish the types of attacks
  305. [19:34:07] +YaHMan: kk
  306. [19:34:42] ~Fox: Pay attention when I tell you how to protect yourself
  307. [19:34:50] ~Fox: If you get lazy, if you fucking slack
  308. [19:35:15] ~Fox: that one time will be the fucking time your traffic was monitored, you were connected to your network and you recieved a fucking thousand count case.
  309. [19:35:45] ~Fox: I've seen hundreds of people go down for this kind of shit, so wield it like you wield a gun, with precision, and with respect.
  310. [19:37:00] ~Fox: Anyways
  311. [19:37:12] %AnalTouring: Also, if there's any trace of your nick on google linking it to you. now would be the time to fix (erase) that.
  312. [19:37:12] ~Fox: Moving along to another type that I'm going to glance over
  313. [19:37:14] lighth0use (~shadow@LulzCo-10001504.tampabay.res.rr.com) joined the channel.
  314. [19:37:14] ElEzio (~ElEzio@2CB9EA0F.73CFA4EC.8A79DD07.IP) joined the channel.
  315. [19:37:21] DiggerNicks (~BallZack@Dick.Smash) joined the channel.
  316. [19:37:22] ~Fox: AnalTouring exactly.
  317. [19:37:35] Fox sets mode +vv lighth0use DiggerNicks
  318. [19:37:56] ~Fox: For those of you just joining, notes will be posted.
  319. [19:37:58] ~Fox: Just keep up.
  320. [19:38:00] ~Fox: Anyways,
  321. [19:38:21] ~Fox: Another type of service that was brought to my attention was buffer overflow.
  322. [19:38:28] ~Fox: This is another type of hardware overload.
  323. [19:38:37] %AnalTouring: *Software
  324. [19:38:43] ~Fox: Thank you.
  325. [19:38:54] %AnalTouring: And you DONT FUCKING DARE USING IT FOR DDOS.
  326. [19:39:00] %AnalTouring: IF YOU FIND ONE, SEND IT TO SOMEONE WHO KNOWS WHAT TO DO WITH IT.
  327. [19:39:09] ~Fox: Exactly.
  328. [19:39:10] %AnalTouring: BoF > DDos any time.
  329. [19:39:54] %LordKitsuna: Question: i assume thats what the little button in my routers security logs that says "prevent buffer overflow" is reffering to?
  330. [19:40:07] somatose (~somatose@LulzCo-E964C21F.hsd1.ca.comcast.net) joined the channel.
  331. [19:40:08] %AnalTouring: different buffers.
  332. [19:40:35] +i0dine: Bofs seem like a pretty easy thing to defend against, are there really devs who let them slip? or am i thinking of them too simply
  333. [19:40:54] %AnalTouring: i0dine, have you ever written c/c++?
  334. [19:41:04] +str4d: i0dine: often they arise from software bugs rather than bad server configs.
  335. [19:41:09] %AnalTouring: it's non-trivial to write FAST and secure code.
  336. [19:41:14] +i0dine: yea, but not anything very web-related
  337. [19:41:25] +i0dine: okay
  338. [19:41:27] %AnalTouring: now, on using exploits.
  339. [19:41:34] %AnalTouring: you're not fucking likely to ever find one, that's why you're here
  340. [19:41:47] %AnalTouring: .instead you can use canned exploits, like those from milw0rm (it died, find another like exploit-db).
  341. [19:41:59] %AnalTouring: Exploits marked DoS are often a good start for a denial of service.
  342. [19:42:14] %AnalTouring: Use nmap -sV to check the server's software version, find an exploit.
  343. [19:42:19] %AnalTouring: If there's one, you're in luck.
  344. [19:42:28] s0n1cK (s0n1cK@9A8FB7ED.20D60A78.5E7E5896.IP) left IRC. (Quit: Leaving)
  345. [19:42:29] %AnalTouring: If there isn't one: back to step 1 and ddos normally.
  346. [19:43:05] %eax: (although if there is a BoF leading to DoS you can more than likely turn it into a code exec BoF)
  347. [19:43:08] %AnalTouring: http://www.exploit-db.com/ say my server runs apache 2.2.0, find me a Denial of service exploit for that server.
  348. [19:43:19] exo (47e61e8a@LulzCo-B1EA63A4.mibbit.com) left IRC. (Quit: http://www.mibbit.com ajax IRC Client)
  349. [19:43:34] %AnalTouring: JUST DO IT FGT.
  350. [19:43:37] %AnalTouring: Apache 2.2.0
  351. [19:44:26] eax found it :3
  352. [19:44:37] %AnalTouring: good.
  353. [19:44:42] %AnalTouring: at least one person who isn't a complete fuckwit.
  354. [19:44:45] %AnalTouring: anyone else find it?
  355. [19:44:57] +str4d: Yup.
  356. [19:45:09] %LordKitsuna: i can find for 2.2.14 but not 2.2.0
  357. [19:45:20] +YaHMan: then it will work for 2.2.0
  358. [19:45:24] +YaHMan: right?
  359. [19:45:24] %AnalTouring: 2.2.14 is bigger than 2.2.0 right?
  360. [19:45:32] %AnalTouring: that means that it'll probably work on 2.2.0
  361. [19:45:37] %LordKitsuna: oh ok then
  362. [19:45:39] %AnalTouring: but if you're not sure, READ THE FUCKING DOCUMENTATION.
  363. [19:45:54] %AnalTouring: I'm sure you all know what a computer emergency response team is.
  364. [19:46:02] %AnalTouring: Those are the dudes that will try to get you arrested when you fuck shit up.
  365. [19:46:10] %AnalTouring: Now, we're going to have a laugh, DONT DDOS ANYTHING.
  366. [19:46:16] %AnalTouring: Look at www.cert.be
  367. [19:46:25] %AnalTouring: nothing special right?
  368. [19:46:40] %AnalTouring: https://addons.mozilla.org/en-us/firefox/addon/server-spy/ WRONG.
  369. [19:46:45] %AnalTouring: now visit it with that firefox addon.
  370. [19:46:50] %AnalTouring: you will see it runs apache 2.2.0
  371. [19:46:53] %AnalTouring: you may now shit yourself laughing.
  372. [19:47:02] pRjck3vC (~qz5UMksT@555E4E05.CD918B2F.380801F2.IP) left IRC.
  373. [19:47:29] pRjck3vC (~qz5UMksT@B8976F23.CD918B2F.380801F2.IP) joined the channel.
  374. [19:47:42] %eax: (until you realize that the DoS for apache 2.2 is for windows with perl and is a local DoS)
  375. [19:47:50] %AnalTouring: Ok, so now that you know that there's a big probability of actually FINDING an exploit, you better get to know how to run them, and how to tell fake from non-fake exploits.
  376. [19:47:53] nonbit (~amnesia@3AA99AC5.50F87CEE.BEB00337.IP) joined the channel.
  377. [19:48:02] %AnalTouring: eax: you can use a mod_rewrite on this one tough.
  378. [19:48:10] %eax: ah ok
  379. [19:48:27] %AnalTouring: http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html also cocks.
  380. [19:48:36] %AnalTouring: apache is the most well known web server, so remember those lists.
  381. [19:48:48] %AnalTouring: now that you know how to FIND exploits, you must learn how to USE them.
  382. [19:49:01] %AnalTouring: to USE them you must somewhat UNDERSTAND how they work, or at least how to run the code.
  383. [19:49:22] %AnalTouring: For that, teach yourself some basic programming skills.
  384. [19:49:42] %AnalTouring: As in "HOW DO I RUN PHP SCRIPTS GUISE?"
  385. [19:49:51] %AnalTouring: Google it and you'll find a million answers.
  386. [19:50:15] %AnalTouring: now
  387. [19:50:20] %AnalTouring: onto other ways of denial of service
  388. [19:50:26] %AnalTouring: one of my favorites, SQL Injection.
  389. [19:50:35] %eax: (most exploits are written in ruby, perl, python, and C)
  390. [19:50:38] %AnalTouring: yes SQL has built in DoS functionality, believe it or not!
  391. [19:51:02] %AnalTouring: http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#function_benchmark
  392. [19:51:16] %AnalTouring: ok, you might think that's harmless.
  393. [19:51:16] %AnalTouring: but that does something a million times.
  394. [19:51:23] %AnalTouring: now if that something is fucking slow.
  395. [19:51:27] %AnalTouring: like old people fuck.
  396. [19:51:35] %AnalTouring: that shit's going to make the server slow.
  397. [19:51:38] %AnalTouring: again, like old people fuck.
  398. [19:51:52] %AnalTouring: but omg how do i do this?
  399. [19:51:58] %AnalTouring: first you must know how to find a SQL Injection.
  400. [19:52:11] %AnalTouring: give me a few minutes to find you a practice target, while Fox continues.
  401. [19:52:47] %LordKitsuna: AnalTouring, we have a practice target for injections its japfap.ath.cx ` set it up a few days ago
  402. [19:53:04] %AnalTouring: Could you link me a page?
  403. [19:53:24] %eax: http://japfap.ath.cx/
  404. [19:53:25] %LordKitsuna: should be japfap.ath.cx/testshit
  405. [19:53:53] %AnalTouring: ALSO: WARNING PEOPLE, DO NOT VISIT LINKS FROM HERE WITHOUT A PROXY.
  406. [19:53:54] %AnalTouring: EVERYONE IN HERE COULD BE A FEDERAL AGENT WAITING TO SEND YOUR ASS TO JAIL
  407. [19:53:55] %AnalTouring: UNDERSTAND?
RAW Paste Data Copied