Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools

2 Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

3 Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

4 Information Networking Security and Assurance Lab National Chung Cheng University 4 The Goals Prevent similar attacks in the future Assess an attacker’s skill or threat level Determine the extent of a compromise Determine if any damage was done Determine the number and type of intruders Prepare yourself for successful subject interview if you catch the attacker Determine the attacker’s objectives and goals

5 Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

6 Information Networking Security and Assurance Lab National Chung Cheng University 6 Statically Linked Programs A statically linked executable file contains all the code necessary to successfully run the application Don’t have any dependencies

7 Information Networking Security and Assurance Lab National Chung Cheng University 7 Dynamically Linked Programs Shared libraries  Contain commonly used functions and routines Reduce the size of the executable file Conserve system memory Update the shared libraries without the change of the original programs

8 Information Networking Security and Assurance Lab National Chung Cheng University 8 Shared Libraries System Memory Dynamic Program Static Program Statically Compiled Program Printf Function Contained Within the Program’s Object Code Dynamically Compiled Program Printf Stub to Reference other Memory Location Static Program vs. Dynamic Program

9 Information Networking Security and Assurance Lab National Chung Cheng University 9 Programs Compiled with Debug Options With debug options  Include a lot of information about the program and its source code

10 Information Networking Security and Assurance Lab National Chung Cheng University 10 The comparison of the file size The file size

11 Information Networking Security and Assurance Lab National Chung Cheng University 11 The stripped programs Strip is a function that discards all symbols from the object code to make a file much smaller and perhaps more optimal for execution The command line The smaller file size

12 Information Networking Security and Assurance Lab National Chung Cheng University 12 http://upx.sourceforge.net Programs Packed with UPX (Ultimate Packer for eXecutables) An effective compression tool for executable files A hacker can obscure their illicit programs from signature-based IDS A review of the ASCII-formatted strings within the rogue code will show whether UPX was used to compress the executable

13 Information Networking Security and Assurance Lab National Chung Cheng University 13 An example of UPX

14 Information Networking Security and Assurance Lab National Chung Cheng University 14 An example of Symbol Extraction (1/2) $nm –a zapdynamic Debugging information is included, use $nm –al zapdebug Symbol value Symbol type

15 Information Networking Security and Assurance Lab National Chung Cheng University 15 An example of Symbol Extraction (2/2) Symbol type  Lowercase A local variable  Uppercase A global variable $man nm

16 Information Networking Security and Assurance Lab National Chung Cheng University 16 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

17 Information Networking Security and Assurance Lab National Chung Cheng University 17 What and the step you should follow Static analysis is tool analysis performed without actually executing the rogue code The general approach to static analysis involves the following steps  Determine the type of file you are examining  Review the ASCII and Unicode strings contained within the binary file  Perform online research to determine if the tool is publicly available on computer security or hacker sites  Perform source code review if you either have the source code or believe you have identified the source code via online research

18 Information Networking Security and Assurance Lab National Chung Cheng University 18 Determine the Type of File The command The magic file

19 Information Networking Security and Assurance Lab National Chung Cheng University 19 Review the ASCII and Unicode Strings $strings –a filename $hexedit  Allow you to see Unicode and ASCII strings within a file at the same time Look for the following items  The name if the source code files before the application was compiled  The exact compiler used to create the file  The “help” strings in the tool  The error messages that the program displays  The value of static variable

20 Information Networking Security and Assurance Lab National Chung Cheng University 20 Performing Online Research and Source Code Review It’s very helpful to find the same tool Two occasion  The attacker leaves the source code on the system  Find the identical program from another source with the proper source code

21 Information Networking Security and Assurance Lab National Chung Cheng University 21 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

22 Information Networking Security and Assurance Lab National Chung Cheng University 22 What and the task you should do Dynamic analysis of a tool takes place when you execute rogue code and interpret its interaction with the host operating system Methodology must includes the following tasks  Monitor the time/date stamps to determine what files a tool affects  Run the program to intercept its system calls  Perform network monitoring to determine if any network traffic is generated  Monitor how Windows-based executables interact with the Registry

23 Information Networking Security and Assurance Lab National Chung Cheng University 23 Set up your test environment You need to invest the time to set up the proper test environment  VMware Make sure that the test system is not connected to the Internet  Beacon packet  Phone home Or your can execute it on a closed network

24 Information Networking Security and Assurance Lab National Chung Cheng University 24 Intercept the system call User applications use system calls to request the kernel System trace ($strace)  Wiretap between a program and the operating system The output file Execute the rouge program

25 Information Networking Security and Assurance Lab National Chung Cheng University 25 The example_1 of strace

26 Information Networking Security and Assurance Lab National Chung Cheng University 26 The example_2 of strace (1/3)

27 Information Networking Security and Assurance Lab National Chung Cheng University 27 The example_2 of strace (2/3)

28 Information Networking Security and Assurance Lab National Chung Cheng University 28 The example_2 of strace (3/3)

29 Information Networking Security and Assurance Lab National Chung Cheng University 29 Conducting Analysis Beyond strace Debugging Decompiling  Linux Assembly web site http://linuxassembly.org  Tool Interface Standard’s and Manuals on the Mr. Dobbs Microprocessor Resources web site http://x86.ddj.com/intel.doc/tools.htm  objdump  nm  gdb

30 Information Networking Security and Assurance Lab National Chung Cheng University 30 Dynamic Analysis on a Windows System filemon  Provide a wiretap between running processes and the file system. regmon  Tap a process’s interaction with the Windows Registry listdlls  Show all of the DLLs needed by a process fport  Determine what port the rouge program opens flist  Determine if a process changes its process name after execution

31 Information Networking Security and Assurance Lab National Chung Cheng University 31 filemon

32 Information Networking Security and Assurance Lab National Chung Cheng University 32 regmon

33 Information Networking Security and Assurance Lab National Chung Cheng University 33 listdlls

34 Information Networking Security and Assurance Lab National Chung Cheng University 34 fport

35 Information Networking Security and Assurance Lab National Chung Cheng University 35 pslist

Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools."

Similar presentations

Introducing JavaScript

Introducing JavaScript
Creating a Dialog-Based Comet Windows Program Brian Levantine.

Creating a Dialog-Based Comet Windows Program Brian Levantine.
ICS103 Programming in C Lecture 1: Overview of Computers & Programming

ICS103 Programming in C Lecture 1: Overview of Computers & Programming
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Introduction to Web Database Processing

Introduction to Web Database Processing
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Tutorial 10 Programming with JavaScript

Tutorial 10 Programming with JavaScript
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.

1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
CS 225 Lab #2 - Pointers, Copy Constructors, Destructors, and DDD.

CS 225 Lab #2 - Pointers, Copy Constructors, Destructors, and DDD.
XP Tutorial 1 New Perspectives on JavaScript, Comprehensive1 Introducing JavaScript Hiding E-Mail Addresses from Spammers.

XP Tutorial 1 New Perspectives on JavaScript, Comprehensive1 Introducing JavaScript Hiding Addresses from Spammers.
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.

Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Introduction Purpose Objectives Content Learning Time

Introduction Purpose Objectives Content Learning Time

Similar presentations

Ads by Google