Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Published byFranklin Parker Modified over 9 years ago

Similar presentations

Presentation on theme: "Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions."— Presentation transcript:

1 Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions

2 Aktueller Status This lab presents techniques for hackers to cover their tracks Most experienced blackhats follow a series of steps to compromise a system Probe network for weak links through proxy server Use direct or indirect methods Ensure system is not a honeypot Disguise and hide mischievous software Cover tracks by editing log files With this knowledge a system administrator can easily discover the intrusion and attempt to trace the hacker Introduction Lab Content Conclusions Questions

3 Aktueller Status Background Hackers want to attack anonymously Utilize SOCKS 4 or 5 Proxy Servers Generally chained together and encrypted Tor: http://tor.eff.org/index.html.enhttp://tor.eff.org/index.html.en Proxychains: http://proxychains.sourceforge.net/ http://proxychains.sourceforge.net/ Lab layout RedHat 7.2 communicating through RedHat WS 4 Connect to Apache Webserver Section 1: Proxies Introduction Lab Content Conclusions Questions

4 Aktueller Status Exercise 1.1 (Simulates SOCKS proxy using SSH) Create SSH tunnel: ssh –N –D 7001 57.35.6.x Setup Netscape Connect to Apache Webserver: 138.210.237.99 NMAP thru proxy Section 1: Proxies Introduction Lab Content Conclusions Questions

5 Aktueller Status Background Honeypot system is a trap for malicious hackers Two important types Low-Interaction Honeyd High-Interaction Honeynet Most honeypots use VMware emulate multiple systems on one computer Examine how to detect VMware is running on compromised machine Section 2: HoneyPot Detection Introduction Lab Content Conclusions Questions

6 Aktueller Status Website devoted to honeypot detection http://www.trapkit.de/tools/index.html Scoopy_doo Checks target machine register values against known VMware values Runs in Linux and Windows Jerry Uses I/O backdoor in VMware binary Examines value of register EAX Section 2: HoneyPot Detection Introduction Lab Content Conclusions Questions

7 Aktueller Status Background Once a system has been compromised the hacker must hide his presence One way to do this is by hiding the files the hacker uses to exploit the target machine Linux and Windows machines have different file systems and thus require different hiding mechanisms Undeletable folders are another nuisance administrators face http://archives.neohapsis.com/archives/sf/ms /2001-q2/att-1116/01-THE-END-OF- DELETERS-v2.1.txthttp://archives.neohapsis.com/archives/sf/ms /2001-q2/att-1116/01-THE-END-OF- DELETERS-v2.1.txt Section 3: Hiding Files Introduction Lab Content Conclusions Questions

8 Aktueller Status Exercise 3.1 (Hiding Files in Linux) Hide files with the “.” method Hide files with ext2hide http://e2fsprogs.sourceforge.net/ http://sourceforge.net/projects/ext2hide/ Section 3: Hiding Files Introduction Lab Content Conclusions Questions

9 Aktueller Status Exercise 3.2 (Hiding Files in Windows) Hide files with chmod properties Hide files in the Alternate Data Stream in NTFS Section 3: Hiding Files Introduction Lab Content Conclusions Questions

10 Aktueller Status Background Log files can indicate a machine has been compromised Can also give away “trade secrets” and lead to exploit patches Section 4: Editing & Removing Log Files Introduction Lab Content Conclusions Questions

11 Aktueller Status Editing logs in Linux Linux logs can be modified with the proper tools Syslogd is ASCII encoded and can be edited with any text editor UTMP, WTMP, and LASTLOG need rootkit tool Section 4: Editing & Removing Log Files Introduction Lab Content Conclusions Questions

12 Aktueller Status Editing logs in Windows Windows logs modified and cleared with the Event Viewer Logs for application failures and security warnings including failed login attempts Section 4: Editing & Removing Log Files Introduction Lab Content Conclusions Questions

13 Aktueller Status Background An attacker always wants to attack through indirect machines Hides the compromised machine and therefore the hacker’s whereabouts HP JetDirect allows indirect launching of attacks Section 5: Indirect and Passive Attacks Introduction Lab Content Conclusions Questions

14 Aktueller Status Exercise 5.1 (HP JetDirect Exploitation) HiJetter: http://www.phenoelit.de/hp/download.htmlhttp://www.phenoelit.de/hp/download.html Store files and scripts Create websites: *Printer IP*/hp/device/ Run NMAP attacks through it Section 5: Indirect and Passive Attacks Introduction Lab Content Conclusions Questions

15 Aktueller Status Conclusion Introduction Lab Content Conclusions Questions Covering your tracks is key for effective hacking Avoid Honeypots to reuse exploits and methods Hiding files and changing log files effectively covers tracks Running scans and attacks behind cover machines helps protect identity

16 Aktueller Status Questions Introduction Lab Content Conclusions Questions ?

Download ppt "Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions."

Similar presentations

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.

Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 Using Compressed Files and Folders Applications and operating systems read and write to compressed files. NTFS uncompresses the file before making it.

1 Using Compressed Files and Folders Applications and operating systems read and write to compressed files. NTFS uncompresses the file before making it.
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks

Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks

Similar presentations

Ads by Google