Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ed Skoudis June 6, 2005 Seminar Series. ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3:

Published byAllan Wilkerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Ed Skoudis June 6, 2005 Seminar Series. ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3:"— Presentation transcript:

1 Ed Skoudis June 6, 2005 Seminar Series

2 ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

3 ©2005 Ed Skoudis A Quote from One of History’s Greatest Hackers  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle. —Sun Tzu, The Art of War

4 ©2005 Ed Skoudis Purpose  We’re not here to teach you how to hack.…  However, to defend yourself, you must understand your adversaries’ strategies and tactics  We will discuss prominent recent advances in computer attack techniques…  …To gain an understanding of how to defend against new attacks  We are not endorsing these attack tools  But you have to be ready to defend against them  We will also discuss a variety of useful defensive tools… but check to make sure you have permission to use them! Talk to the system owners…

5 ©2005 Ed Skoudis General Trends – The Storm after the Quiet  For six months, we saw a major drop in the release of new vulnerabilities and attack tools after September 11, 2001  Shock over terrorism  Fear of law enforcement and PATRIOT Act  Concern about DMCA Sept 11, 2001March 2002Now Relatively quiet The gloves are off! Major new attacks and tools

6 ©2005 Ed Skoudis General Trends – Software Distro Site Attacks  Trojaning software distribution sites  Hack into web/ftp site and alter software to include backdoor  Everyone who downloads and uses the tool is impacted!  May, 2002: issri.org - IRC client compromised  May 17-24, 2002: Monkey.org - Dsniff, Fragroute, and Fragrouter hacking tools compromised  July 30 – August 1, 2002: Openssh.org, OpenSSH security tool compromised  Sept 28 - Oct 6, 2002: ftp.sendmail.org, sendmail mail server compromisedftp.sendmail.org  Nov 11-13, 2002: tcpdump.org, tcpdump sniffer and libpcap  Some pretty big names have fallen to this attack!  What to do?  Check hashes… across multiple mirrors  Don’t put new software directly into production… test first!

7 ©2005 Ed Skoudis Tcpdump Trojan tcpdump install package configure script Attacker’s Web Server Victim’s System Download and Run services script C program Generate, compile, and execute backdoor Poll for control character, A, D, or M On TCP port 1963 shell If D character, run shell and shovel input to attacker Attacker types commands here for execution on victim’s machine Shovel shell across network Admin downloads Trojan Horse version of tcpdump and/or libpcap package 1 2 3 4 5 6 7

8 ©2005 Ed Skoudis Tcpdump Trojan Horse Details  Interesting Notes:  A, D, and M for commands… where do those characters come from?  TCP port 1963  Similarity to sendmail Trojan and others  Shoveling shell, pushing out a connection that is really incoming command shell access  More easily gets through firewalls  The sniffer itself won’t show traffic destined for the backdoor (OUCH!)

9 ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

10 ©2005 Ed Skoudis Reconnaissance – Google Hacking  The best attackers do comprehensive reconnaissance  Google is now a favorite hacking tool  Useful public information is plentiful  Admin names, addresses, phone numbers, financial info, business partners  Job requisitions  Technologies in use, IP addresses, DNS servers, network topology, open ports, etc…  Google hacking for beginners  johnny.ihackstuff.com johnny.ihackstuff.com  www.i-hacked.com www.i-hacked.com  Protect yourself! Protect yourself!

11 ©2005 Ed Skoudis Reconnaissance Defenses  Look for information leakage from your systems before the bad guys find it  Conduct reconnaissance against your own environment  Use the same tools as the bad guys… but be careful!  If you use their web sites or tools for searches, they could monitor your actions  Probably best not to do this from your production network  Do it from a separate ISP

12 ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

13 ©2005 Ed Skoudis Why Port Scanning?  TCP and UDP each have ports  Servers listen on ports  They act like doors - Data goes out one port and into another port  Attacker wants to know which ports are open  Let’s focus on TCP port scanning  Most common protocol on top of IP… it’s used by HTTP, telnet, FTP, and many other services  TCP uses the three-way handshake SYN SYN-ACK ACK Connection A B

14 ©2005 Ed Skoudis “Normal” Port Scanning SYN to TCP Port 1 SYN to TCP Port 2 SYN to TCP Port 3 SYN-ACK from Port 3 Eureka! Port 3 is Listening! TARGET  Attackers send SYN packets, and watch for SYN- ACK responses to indicate a listening port  Downside for attacker: The scan can be traced back to the attacker’s machine using the source IP address

15 ©2005 Ed Skoudis What if Attacker Spoofs Source Address?  Not very useful, because SYN-ACK responses don’t come back to attacker  The attacker can’t figure out if the port is open or closed, so the port scan is a waste of time Syn to TCP Port 1 Syn to TCP Port 2 Syn to TCP Port 3 SYN-ACK from Port 3 Response goes to the address the attacker is spoofing. RESET!!! TARGET

16 ©2005 Ed Skoudis IP Identification Field Predictability…  The IP Identification field in the IP Header is used for packet fragmentation  Used to group all fragments together for packet reassembly  If there are no fragments, the IP stack assigns some value to this field  When some systems send packets, they just increment the IP ID field by one for each packet  Each packet gets an IP ID value that is one bigger than previous packet’s value Total Length Frag Offset Header Checksum Source IP Address Destination IP Address Data ….. ProtocolTTL FlagsIdentification VersHlenSvc Type IP Options (if any)Padding

17 ©2005 Ed Skoudis Predictable IP ID – Idle Scans in Nmap SYN SYN-ACK, with IP ID = X 1 2 3 Remember IP ID = X Machine That Gets Framed TARGET

18 ©2005 Ed Skoudis IP Identification Scanning (A.K.A. “Idle” Scanning)  ANALYZE STEP 8!  If IP ID of step 8 is X+2, the port is listening.  If IP ID of step 8 is X+1, the port is closed. Spoofed Syn to TCP Port 3 SYN-ACK from Port 3 TARGET Machine That Gets Framed RESET, IP ID = X+1 6 5 4 SYN 7 8 SYN-ACK

19 ©2005 Ed Skoudis Scanning - Paketto Keiretsu  Suite of tools for doing TCP/IP tricks  By Dan Kaminsky  Released October 8, 2002  Available at http://www.doxpara.com/http://www.doxpara.com/  One capability: Very rapid port scanning  Separate the packet sender process from receiver  Sender transmits packets as quickly as network will carry them  Receiver sniffs responses  Sender and receiver out of synch, but that’s ok  The idea could be extended… Sndr Rcvr Attacker SYNs SYN- ACKs

20 ©2005 Ed Skoudis Port Scanning Defenses  Action item:  Run netstat –na to see what’s listening (on UNIX and Windows)  Alternatively, use Fport on Windows and Lsof on UNIX  For those services you don’t need, close unused ports  Disable unneeded services  In Windows: Check Start  Programs  Administrative Tools  Services  In UNIX: Check /etc/rc.d/init.d and /etc/xinetd  For incident handling, realize that these scans are possible

21 ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

22 ©2005 Ed Skoudis Gaining Access – Detailed Code Analysis Tools  Consider recent months – major holes in Apache, Internet Explorer, OpenSSL, OpenSSH, Sendmail, Snort… the list keeps growing!  We’ve seen a recent revolution in detailed vulnerability analysis tools  Used to find buffer overflows, heap overflows, etc.  Think of these tools as X-Rays or microscopes to look inside executable code at a fine grained level  Look for common mistakes that let an attacker take over a system  Step through machine language code, line by line  To learn more about such tools, check out the Honeynet Project Reverse Challenge at:  http://www.honeynet.org/reverse/

23 ©2005 Ed Skoudis Code Analysis Tools - Windows Tool NameComm. or Free SummaryWhere to Get It APISpy32, by Yariv Kaplan FreeOn Windows systems, this tool monitors all API calls, showing the value of all variables passed along the way. http://www.internals.c om/utilities_main.htm Heap Debugger, by Anonymous FreeOn Windows systems, this tool lists all memory locations not properly released by an application. http://www.programm ersheaven.com/zone 24/cat277/4136.htm APIHooks, by EliCZFreeOn Windows systems, this tool intercepts API calls, allowing an attacker to analyze or even manipulate the flow of data through a program. http://www.anticrackin g.sk/EliCZ/ Feszer by Frank Swiderski FreeThis Windows tool is used to analyze problems in string handling functions. http://www.atstake.co m/research/tools/inde x.html

24 ©2005 Ed Skoudis Code Analysis Tools - UNIX Tool NameComm. or Free SummaryWhere to Get It Sharefuzz, by Dave Aitel FreeOn UNIX machines, this program can be used to find holes from local accounts on a machine. http://freshmeat.net/p rojects/sharefuzz/?to pic_id=43 SPIKE, by Dave AitelFreeOn UNIX machines, this tool can be used to find flaws in network protocol handling, especially in web servers and remote procedure calls. http://www.immunitys ec.com/spike.html Electric Fence, by Bruce Perens FreeOn UNIX machines, this tool can find flaws with the way the system frees memory, which could lead to security exposures. http://perens.com/Fre eSoftwarehttp://perens.com/Fre eSoftware/ Fenris, by Michal Zalewski Free Multipurpose tracer, stateful analyzer and partial decompiler for UNIX http://razor.bindview.c om/tools/fenris/

25 ©2005 Ed Skoudis Code Analysis Tools - Both Tool NameComm. or Free SummaryWhere to Get It IDA Pro, by Data Rescue Commerc ial This program is the premier code disassembler tool for both Windows and Linux. It is extremely powerful and very widely used to find security flaws. http://www.datares cue.com Cenzic ’ s Hailstorm Commerc ial This powerful tool allows for finding defects by injecting faults into software. http://www.cenzic.c om/  People used to say that closed source was more secure because attacker’s couldn’t analyze it as much  This is increasingly less true because of tools like these!

26 ©2005 Ed Skoudis SQL Slammer  So, how are they propagating their exploits?  Increasingly, they are using worms  Remember SQL Slammer?  January, 2003: Fast-spreading worm on the rampage  Patch SQL Server!  Am I running it?  Very hard to tell  Many products use it, and Microsoft doesn’t make it easy to detect

27 ©2005 Ed Skoudis SQL Slammer Impact  Took much of South Korea off of the Internet for several hours  Ironically, this limited its spread  By clogging links, the worm couldn’t spread as quickly to the outside world  One Emergency 911 call center was taken off line  Over 13,000 ATM (Money Machines) offline in North America  Some airlines cancelled a few flights

28 ©2005 Ed Skoudis SQL Slammer Characteristics  Why did SQL Slammer cause such damage?  People didn’t know they were running the Microsoft SQL service  Fast spread via small size and UDP  Only 376 bytes  Attacked Microsoft SQL Service which uses UDP

29 ©2005 Ed Skoudis Worm Efficiencies and TCP vs. UDP  To establish sequence numbers, TCP uses a three- way handshake to initiate a connection  UDP doesn’t… SYN SYN-ACK ACK Connection Packet A

30 ©2005 Ed Skoudis UDP-based Worms  Analogy: Spreading a cold in Grand Central Station  TCP: Shake everyone’s hand…  UDP: Lob infected ping pong balls Three-way Handshake Worm Spread via TCPWorm Spread via UDP

31 ©2005 Ed Skoudis Defenses Against Code Flaws & Worms  Keep your systems patched, with a well-defined process for:  Learning about new patch availability  Acquiring and authenticating patches  Testing patches in a non-production environment  Rolling patches into production  Write secure code!  Education of software developers  Good book for Windows: Writing Secure Code, by Howard and Leblanc  Good stuff for UNIX: http://www.dwheeler.com/secure- programs/ by D. Wheelerhttp://www.dwheeler.com/secure- programs/  Automated software checking tools  ITS4: www.cigital.com/its4/download.html  RATS: www.securesoftware.com/rats.php  Flawfinder: www.dwheeler.com/flawfinder/

32 ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

33 ©2005 Ed Skoudis Trojan Horse Backdoors Type of Trojan horse backdoor CharacteristicAnalogyExample tools in this category Application-Level Trojan Horse Backdoor A separate application runs on the system An attacker adds poison to your soup. Sub7, BO2K, Tini, etc. Traditional RootKitsCritical Operating System components are replaced. An attacker replaces your potatoes with poison ones Lrk6, T0rnkit, etc. Kernel-Level RootKits Kernel is patched.An attacker replaces your tongue with a poison one. Knark, adore, Kernel Intrusion System, rootkit.com, etc. Traditional RootKit Kernel Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKit Kernel good login good ps good ifconfig good tripwire Trojan Kernel Module Application-level Kernel Evil App good program good program good program good program

34 ©2005 Ed Skoudis Maintaining Access – Trojan Horse Backdoors  New even stealthier Application-Level Trojan Horse Backdoors  Setiri Written by Roelof Temmingh and Haroon Meer  Code shown August, 2002; no release scheduled  Standard functions  Upload file, execute program, download file  Uses invisible IE browser window and OLE to communicate with browser to send data to attacker over HTTPS  If personal firewall allows browser to send traffic to the Internet, backdoor can communicate with attacker  Also gets through NAT, proxies, and stateful firewalls

35 ©2005 Ed Skoudis Setiri Architecture Victim.. Attacker Connection Broker (Web Server with Attacker’s CGIs) Anony- mizer Anony- mizer Firewall HTTPS STEP 1: Attacker somehow installs Setiri on victim machine

36 ©2005 Ed Skoudis Kernel Level RootKits  An area that continues to get attacker’s attention is the kernel-level RootKit  By operating in the kernel, the attacker has complete control of the target machine  Hidden processes  Hidden files  Hidden network use (sniffing and port listeners)  Execution redirection  Three ways of implementing  Loadable Kernel Module  Patch kernel image on hard drive  Alter kernel in memory on running system! Yikes!!!

37 ©2005 Ed Skoudis Maintaining Access Defenses  Block access to Anonymizer.com  Works for base Setiri tool and relatives, but attacker could use another anonymous proxy or connection broker  Still, it’s a pretty reasonable idea  Anti-virus tools  Look for signatures in near future  Browser vendors (ahem…) possibly looking at limiting actions of invisible browser  Additionally, protect your kernel!  St. Michael for Linux, by Tim Lawless, at www.sourceforge.net www.sourceforge.net  Okena and Entercept for Windows and Solaris

38 ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

39 The Defiler’s Toolkit  The Defiler’s Toolkit attempt to confuse forensics investigations  First public anti-forensic tool  Developed by “The Grugq”  Targeted specifically to counter The Coroner’s Toolkit and only extensively tested for ext2/3 file systems.  Six Components  KY FS – Stores data in superblocks / directory structures  Warren FS – Stores data in the ext3 journal file  Data Mule FS – Stores data in inode reserved space  Rune FS – Stores data in Bad Blocks  Necrofile  Klismafile ©2005 Ed Skoudis

40 Defiler’s Toolkit  Data hiding  Bad blocks inode points to blocks that don’t function properly  Attacker associates good blocks with the bad block inode and stores data there  Carve out a segment of your hard drive and label it “bad”  Drive appears smaller, but TCT won’t look in the bad blocks  Data destruction with Necrofile  Undelete tools remove just the data, not the meta-data (inodes and directory entries)  Necrofile – scrubs inodes clean, based on deletion time criteria  Data destruction with Klismafile  Directory entries show deleted filenames and sizes  Klismafile searches for these entries and scrubs them

41 Metasploit Anti-Forensic Investigation Arsenal (MAFIA)  Developed by Vinnie Liu and distributed with Metasploit 2.2  Windows Specific with Four Components  TimeStomp: MAC Time modification tool  Slacker: Tool to hide data in slack space  SAM Juicer: Password file extractor  Transmogrify: File Signature Modifier  SAM Juicer was renamed PWDump and integrated into Metasploit 3 with TimeStomp  Slacker and Transmogrify were never reliable and discontinued. Transmogrify was never released. ©2005 Ed Skoudis

42 Meterpreter  Central component in the Metasploit Framework  Serves as a payload injected by any of a number of exploits  Opens a covert communication channel with shell command capabilities  Resides exclusively in memory with no residue… ©2005 Ed Skoudis

43 Anti-Forensic Tools…  Techniques Techniques  CANVAS  DECAF – direct response to COFFEE DECAF COFFEE  Microsoft and the US Department of Justice have stated intention to prosecute anyone found to be in unauthorized possession of DECAF  SecurityWizard List SecurityWizard List ©2005 Ed Skoudis

44 Forensics  The Coroner’s Toolkit is very popular, along with its descendent, “The Sleuth Kit” (www.sleuthkit.org)Coroner’s Toolkit www.sleuthkit.org  The Coroner’s Toolkit, as cool as it was, is a bit outdated  Turn toward a more recent descendant of TCT, “The Sleuth Kit” to get a better look at forensics dataThe Sleuth Kit  Use the Autopsy Forensic Browser GUI…Autopsy Forensic Browser  In investigations, don’t forget to look in blocks marked bad! There could be some very useful data hidden in there  Dead vs. Live analysis modes

45 ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

46 ©2005 Ed Skoudis Conclusions  Remember good ol’ Sun Tzu  Attackers keep improving their capabilities and tools  Don’t get discouraged  We must keep up with them  Understand their techniques  Deploy, maintain, and update effective defenses  Consider it an intellectual challenge… with job security  Just remember… It is the Golden Age  By remaining diligent, we can secure our systems!

Download ppt "Ed Skoudis June 6, 2005 Seminar Series. ©2005 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3:"

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
Ed Skoudis June 6, 2003 Seminar Series Breaking News – The Latest Computer Attacks and Defenses.

Ed Skoudis June 6, 2003 Seminar Series Breaking News – The Latest Computer Attacks and Defenses.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Lesson 3-Hacker Techniques

Lesson 3-Hacker Techniques
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Forces that Have Brought the world to it’s knees over the centuries.

Forces that Have Brought the world to it’s knees over the centuries.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google