GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe (SCOSA-2004.7)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities (SCOSA-2004.10)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges (SCOSA-2004.3)
SCO Security Advisory - UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. (SCOSA-2004.2)
Microsoft Security Bulletin Re-release, August 2004
Latest Vulnerabilities
OpenFTPD Format String Vulnerability
Fusion News Unauthorized Account Addition Vulnerability
Jaws 0.4 Authentication Bypass Vulnerability
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
LostBook v1.1 Javascript Execution Vulnerability
Latest Security News
Anti-spam spamvertisers agree to quit
Black Hat day 2 sounds security alarm
VPNs (Virtual Private Nightmares)
HNS Newsletter issue 224 has been released
Long-awaited IE patch (finally) arrives

Net Send - Windows Messenger Explained

Description : "Using the Messenger Service in Windows gives you varying results that depend on the command options or interface you use to send messages. The method you use determines whether the message is a local Broadcast or a directed datagram, and to which NetBIOS name the message is to be sent." More info located here.
 

Problems

Flooding : There is a very large potential for Flooding and even a DoS attack of sorts with net send. The problem stems from the fact that there is not a limit set on the amount of messages sent by default. This means that you can send 100 messages to an entire domain if that domain has the messenger enabled. This is especially annoying because you cannot stop the messages by logging out, and must reboot. Also, the message windows cannot be minimized, and remain in focus no matter what. Take into consideration the following code examples.

	
    while () {
    system("net send /domain:annoyednet message here");
    }
    while () {
    system("net send * put your message here");
    }
    $bigmsg = "something" x 1000;
    while () {
    system("net send * $bigmsg");
    }
	

The first example sends an infinite number of messages to a specified domain, the second one does the same thing, but instead sends the message loop to all registered users of the local domain. The third example does the same thing as the second one, but sends a very large message. I do beleive that there is a limit on the size of the message sent, but i do not know an exact size, or number of characters. Needless to say though, any of these blocks of code left on a machine repeatedly executing could cause a DoS of sorts possibly forcing a reboot of the entire network. Also, the message source uses the NetBIOS name of the machine sending the message can be spoofed, as seen in the next section of this paper, thus making it harder to stop the attack, and/or identify the attacker/machine.

Spoofing : Because the senders name is the local NetBIOS name, it can be spoofed using the following:

NetMessageBufferSend( hosttosend, msgname, spoofedname, message, msgelen );

A user by the name of Droby10 has written a simple program that uses this to easily spoof the name of the sender via the command line. This can be used to send spam more anonymously, possible trick a user or admin to change some info (eg thier password) by posing as someone on thier network, or execute a hard to trace flood attack.

Spamming : After reading the info above you should be able to see how a spammer can use the forementioned methods to send you unsolicited pop up messages advertising thier latest product or website. To make things even worse, there is now a program called Direct Advertisor that lets spammers bulk send messages over an ip range to unsuspecting users. More information on the way spammers use "net send" to deliver their unsolicited messages can be found here.


Solutions

Firewall : Most firewalls, including the Windows XP firewall blocks these messages from getting through to you.

Disabling The Service : To disable the service completely you can do so by completeing the following steps :

1) Open the Control Panel and click on Administrative Tools and then Services
2) Now find the service by the name of "Messenger" and click "Stop The Service"
3) You can also disable it completely by double clicking the name "Messenger" in the list and selecting "startup type : disabled"


Tools

Net Send Flooder :
Used to send mass "net send" commands to a specified user, domain or network.

Net Send Spoofer :
Same as above with the option to spoof the source (sender of the message)



Thanks For Reading :)

JeiAr




© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers