Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ed Skoudis June 6, 2003 Seminar Series Breaking News – The Latest Computer Attacks and Defenses.

Similar presentations

Presentation on theme: "Ed Skoudis June 6, 2003 Seminar Series Breaking News – The Latest Computer Attacks and Defenses."— Presentation transcript:

1 Ed Skoudis June 6, 2003 Seminar Series Breaking News – The Latest Computer Attacks and Defenses

2 ©2003 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

3 ©2003 Ed Skoudis A Quote from One of Historys Greatest Hackers If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Sun Tzu, The Art of War

4 ©2003 Ed Skoudis Purpose Were not here to teach you how to hack.… However, to defend yourself, you must understand your adversaries strategies and tactics We will discuss prominent recent advances in computer attack techniques… …To gain an understanding of how to defend against new attacks We are not endorsing these attack tools But you have to be ready to defend against them We will also discuss a variety of useful defensive tools… but check to make sure you have permission to use them! Talk to the system owners…

5 ©2003 Ed Skoudis General Trends – The Storm after the Quiet For six months, we saw a major drop in the release of new vulnerabilities and attack tools after September 11, 2001 Shock over terrorism Fear of law enforcement and PATRIOT Act Concern about DMCA Sept 11, 2001March 2002Now Relatively quiet The gloves are off! Major new attacks and tools

6 ©2003 Ed Skoudis General Trends – Software Distro Site Attacks Trojaning software distribution sites Hack into web/ftp site and alter software to include backdoor Everyone who downloads and uses the tool is impacted! May, 2002: - IRC client compromised May 17-24, 2002: - Dsniff, Fragroute, and Fragrouter hacking tools compromised July 30 – August 1, 2002:, OpenSSH security tool compromised Sept 28 - Oct 6, 2002:, sendmail mail server Nov 11-13, 2002:, tcpdump sniffer and libpcap Some pretty big names have fallen to this attack! What to do? Check hashes… across multiple mirrors Dont put new software directly into production… test first!

7 ©2003 Ed Skoudis Tcpdump Trojan tcpdump install package configure script Attackers Web Server Victims System Download and Run services script C program Generate, compile, and execute backdoor Poll for control character, A, D, or M On TCP port 1963 shell If D character, run shell and shovel input to attacker Attacker types commands here for execution on victims machine Shovel shell across network Admin downloads Trojan Horse version of tcpdump and/or libpcap package 1 2 3 4 5 6 7

8 ©2003 Ed Skoudis Tcpdump Trojan Horse Details Interesting Notes: A, D, and M for commands… where do those characters come from? Why TCP port 1963? Similarity to sendmail Trojan and others Shoveling shell, pushing out a connection that is really incoming command shell access More easily gets through firewalls The sniffer itself wont show traffic destined for the backdoor (OUCH!)

9 ©2003 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

10 ©2003 Ed Skoudis Reconnaissance Many Script Kiddies skip this step The best attackers do comprehensive reconnaissance Adrian Lamo claims that Google is is favorite hacking tool Useful public information is plentiful Admin names, addresses, phone numbers, financial info, business partners Job requisitions Technologies in use, IP addresses, DNS servers, network topology, open ports, etc… Portals for reconnaissance and attacks - Registration data for over 66 countries - Ping, DNS, traceroute, etc. - Misc. recon and attack tools

11 ©2003 Ed Skoudis Reconnaissance Defenses Look for information leakage from your systems before the bad guys find it Conduct reconnaissance against your own environment Use the same tools as the bad guys… but be careful! If you use their web sites or tools for searches, they could monitor your actions Probably best not to do this from your production network Do it from a separate ISP

12 ©2003 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

13 ©2003 Ed Skoudis Why Port Scanning? TCP and UDP each have ports Servers listen on ports They act like doors - Data goes out one port and into another port Attacker wants to know which ports are open Lets focus on TCP port scanning Most common protocol on top of IP… its used by HTTP, telnet, FTP, and many other services TCP uses the three-way handshake SYN SYN-ACK ACK Connection A B

14 ©2003 Ed Skoudis Normal Port Scanning SYN to TCP Port 1 SYN to TCP Port 2 SYN to TCP Port 3 SYN-ACK from Port 3 Eureka! Port 3 is Listening! TARGET Attackers send SYN packets, and watch for SYN- ACK responses to indicate a listening port Downside for attacker: The scan can be traced back to the attackers machine using the source IP address

15 ©2003 Ed Skoudis What if Attacker Spoofs Source Address? Not very useful, because SYN-ACK responses dont come back to attacker The attacker cant figure out if the port is open or closed, so the port scan is a waste of time Syn to TCP Port 1 Syn to TCP Port 2 Syn to TCP Port 3 SYN-ACK from Port 3 Response goes to the address the attacker is spoofing. RESET!!! TARGET

16 ©2003 Ed Skoudis IP Identification Field Predictability… The IP Identification field in the IP Header is used for packet fragmentation Used to group all fragments together for packet reassembly If there are no fragments, the IP stack assigns some value to this field When some systems send packets, they just increment the IP ID field by one for each packet Each packet gets an IP ID value that is one bigger than previous packets value Total Length Frag Offset Header Checksum Source IP Address Destination IP Address Data ….. ProtocolTTL FlagsIdentification VersHlenSvc Type IP Options (if any)Padding

17 ©2003 Ed Skoudis Predictable IP ID – Idle Scans in Nmap SYN SYN-ACK, with IP ID = X 1 2 3 Remember IP ID = X Machine That Gets Framed TARGET

18 ©2003 Ed Skoudis IP Identification Scanning (A.K.A. Idle Scanning) ANALYZE STEP 8! If IP ID of step 8 is X+2, the port is listening. If IP ID of step 8 is X+1, the port is closed. Spoofed Syn to TCP Port 3 SYN-ACK from Port 3 TARGET Machine That Gets Framed RESET, IP ID = X+1 6 5 4 SYN 7 8 SYN-ACK

19 ©2003 Ed Skoudis Scanning - Paketto Keiretsu Suite of tools for doing TCP/IP tricks By Dan Kaminsky Released October 8, 2002 Available at One capability: Very rapid port scanning Separate the packet sender process from receiver Sender transmits packets as quickly as network will carry them Receiver sniffs responses Sender and receiver out of synch, but thats ok The idea could be extended… Sndr Rcvr Attacker SYNs SYN- ACKs

20 ©2003 Ed Skoudis Port Scanning Defenses Action item: Run netstat –na to see whats listening (on UNIX and Windows) Alternatively, use Fport on Windows and Lsof on UNIX For those services you dont need, close unused ports Disable unneeded services In Windows: Check Start Programs Administrative Tools Services In UNIX: Check /etc/rc.d/init.d and /etc/xinetd For incident handling, realize that these scans are possible

21 ©2003 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

22 ©2003 Ed Skoudis Gaining Access – Detailed Code Analysis Tools Consider recent months – major holes in Apache, Internet Explorer, OpenSSL, OpenSSH, Sendmail, Snort… the list keeps growing! Weve seen a recent revolution in detailed vulnerability analysis tools Used to find buffer overflows, heap overflows, etc. Think of these tools as X-Rays or microscopes to look inside executable code at a fine grained level Look for common mistakes that let an attacker take over a system Step through machine language code, line by line To learn more about such tools, check out the Honeynet Project Reverse Challenge at:

23 ©2003 Ed Skoudis Code Analysis Tools - Windows Tool NameComm. or Free SummaryWhere to Get It APISpy32, by Yariv Kaplan FreeOn Windows systems, this tool monitors all API calls, showing the value of all variables passed along the way. http://www.internals.c om/utilities_main.htm Heap Debugger, by Anonymous FreeOn Windows systems, this tool lists all memory locations not properly released by an application. http://www.programm 24/cat277/4136.htm APIHooks, by EliCZFreeOn Windows systems, this tool intercepts API calls, allowing an attacker to analyze or even manipulate the flow of data through a program. http://www.anticrackin Feszer by Frank Swiderski FreeThis Windows tool is used to analyze problems in string handling functions. m/research/tools/inde x.html

24 ©2003 Ed Skoudis Code Analysis Tools - UNIX Tool NameComm. or Free SummaryWhere to Get It Sharefuzz, by Dave Aitel FreeOn UNIX machines, this program can be used to find holes from local accounts on a machine. rojects/sharefuzz/?to pic_id=43 SPIKE, by Dave AitelFreeOn UNIX machines, this tool can be used to find flaws in network protocol handling, especially in web servers and remote procedure calls. http://www.immunitys Electric Fence, by Bruce Perens FreeOn UNIX machines, this tool can find flaws with the way the system frees memory, which could lead to security exposures. eSoftware eSoftware/ Fenris, by Michal Zalewski Free Multipurpose tracer, stateful analyzer and partial decompiler for UNIX http://razor.bindview.c om/tools/fenris/

25 ©2003 Ed Skoudis Code Analysis Tools - Both Tool NameComm. or Free SummaryWhere to Get It IDA Pro, by Data Rescue Commerc ial This program is the premier code disassembler tool for both Windows and Linux. It is extremely powerful and very widely used to find security flaws. http://www.datares Cenzic s Hailstorm Commerc ial This powerful tool allows for finding defects by injecting faults into software. http://www.cenzic.c om/ People used to say that closed source was more secure because attackers couldnt analyze it as much This is increasingly less true because of tools like these!

26 ©2003 Ed Skoudis SQL Slammer So, how are they propagating their exploits? Increasingly, they are using worms Remember SQL Slammer? January, 2003: Fast-spreading worm on the rampage Patch SQL Server! Am I running it? Very hard to tell Many products use it, and Microsoft doesnt make it easy to detect

27 ©2003 Ed Skoudis SQL Slammer Impact Took much of South Korea off of the Internet for several hours Ironically, this limited its spread By clogging links, the worm couldnt spread as quickly to the outside world One Emergency 911 call center was taken off line Over 13,000 ATM (Money Machines) offline in North America Some airlines cancelled a few flights

28 ©2003 Ed Skoudis SQL Slammer Characteristics Why did SQL Slammer cause such damage? People didnt know they were running the Microsoft SQL service Fast spread via small size and UDP Only 376 bytes Attacked Microsoft SQL Service which uses UDP

29 ©2003 Ed Skoudis Worm Efficiencies and TCP vs. UDP To establish sequence numbers, TCP uses a three- way handshake to initiate a connection UDP doesnt… SYN SYN-ACK ACK Connection Packet A

30 ©2003 Ed Skoudis UDP-based Worms Analogy: Spreading a cold in Grand Central Station TCP: Shake everyones hand… UDP: Lob infected ping pong balls Three-way Handshake Worm Spread via TCPWorm Spread via UDP

31 ©2003 Ed Skoudis Defenses Against Code Flaws & Worms Keep your systems patched, with a well-defined process for: Learning about new patch availability Acquiring and authenticating patches Testing patches in a non-production environment Rolling patches into production Write secure code! Education of software developers Good book for Windows: Writing Secure Code, by Howard and Leblanc Good stuff for UNIX: programs/ by D. Wheeler programs/ Automated software checking tools ITS4: RATS: Flawfinder:

32 ©2003 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

33 ©2003 Ed Skoudis Trojan Horse Backdoors Type of Trojan horse backdoor CharacteristicAnalogyExample tools in this category Application-Level Trojan Horse Backdoor A separate application runs on the system An attacker adds poison to your soup. Sub7, BO2K, Tini, etc. Traditional RootKitsCritical Operating System components are replaced. An attacker replaces your potatoes with poison ones Lrk6, T0rnkit, etc. Kernel-Level RootKits Kernel is patched.An attacker replaces your tongue with a poison one. Knark, adore, Kernel Intrusion System,, etc. Traditional RootKit Kernel Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKit Kernel good login good ps good ifconfig good tripwire Trojan Kernel Module Application-level Kernel Evil App good program good program good program good program

34 ©2003 Ed Skoudis Maintaining Access – Trojan Horse Backdoors New even stealthier Application-Level Trojan Horse Backdoors Setiri Written by Roelof Temmingh and Haroon Meer Code shown August, 2002; no release scheduled Standard functions Upload file, execute program, download file Uses invisible IE browser window and OLE to communicate with browser to send data to attacker over HTTPS If personal firewall allows browser to send traffic to the Internet, backdoor can communicate with attacker Also gets through NAT, proxies, and stateful firewalls

35 ©2003 Ed Skoudis Setiri Architecture Victim.. Attacker Connection Broker (Web Server with Attackers CGIs) Anony- mizer Anony- mizer Firewall HTTPS STEP 1: Attacker somehow installs Setiri on victim machine

36 ©2003 Ed Skoudis Kernel Level RootKits An area that continues to get attackers attention is the kernel-level RootKit By operating in the kernel, the attacker has complete control of the target machine Hidden processes Hidden files Hidden network use (sniffing and port listeners) Execution redirection Three ways of implementing Loadable Kernel Module Patch kernel image on hard drive Alter kernel in memory on running system! Yikes!!!

37 ©2003 Ed Skoudis Maintaining Access Defenses Block access to Works for base Setiri tool and relatives, but attacker could use another anonymous proxy or connection broker Still, its a pretty reasonable idea Anti-virus tools Look for signatures in near future Browser vendors (ahem…) possibly looking at limiting actions of invisible browser Additionally, protect your kernel! St. Michael for Linux, by Tim Lawless, at Okena and Entercept for Windows and Solaris

38 ©2003 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

39 ©2003 Ed Skoudis Covering Tracks with The Defilers Toolkit Forensics now faces… anti-forensics The Coroners Toolkit is very popular, along with its descendent, TASK ( The Defilers Toolkit attempt to confuse forensics investigations Targets Linux Ext2fs file system, but ideas could be extended to other platforms By anonymous, released July, 2002 Available at

40 ©2003 Ed Skoudis Defilers Toolkit Data hiding Bad blocks inode points to blocks that dont function properly Attacker associates good blocks with the bad block inode and stores data there Carve out a segment of your hard drive and label it bad Drive appears smaller, but TCT wont look in the bad blocks Data destruction with Necrofile Undelete tools remove just the data, not the meta-data (inodes and directory entries) Necrofile – scrubs inodes clean, based on deletion time criteria Data destruction with Klismafile Directory entries show deleted filenames and sizes Klismafile searches for these entries and scrubs them

41 ©2003 Ed Skoudis Defending Against The Defilers Toolkit The Coroners Toolkit, as cool as it was, is a bit outdated Turn toward a more recent descendant of TCT, TASK to get a better look at forensics data In investigations, dont forget to look in blocks marked bad! There could be some very useful data hidden in there

42 ©2003 Ed Skoudis Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions

43 ©2003 Ed Skoudis Conclusions Remember good ol Sun Tzu Attackers keep improving their capabilities and tools Dont get discouraged We must keep up with them Understand their techniques Deploy, maintain, and update effective defenses Consider it an intellectual challenge… with job security Just remember… It is the Golden Age By remaining diligent, we can secure our systems!

44 ©2003 Ed Skoudis References – Keeping Up The web: Test your knowledge while having fun! Monthly Crack the Hacker Challenge Willie Wonka and the Chocolate Hackery (Feb, 2003) Hack to the Future (January, 2003) How the Grinch Hacked Christmas (December, 2002) Spider-Hack (November, 2002) Robin Hack, Prince of Thieves (October, 2002) Robin Hack The Princess Hack (September, 2002) The Princess Hack Crackers, Admins, and Sploits... Oh My! (July, 2002) Crackers, Admins, and Sploits... Oh My! HACK WARS, Episode IV, A New Hack (June, 2002) HACK WARS, Episode IV, A New Hack Backdoor Shell Game Face/Off (May, 2002) Backdoor Shell Game Face/Off

Download ppt "Ed Skoudis June 6, 2003 Seminar Series Breaking News – The Latest Computer Attacks and Defenses."

Similar presentations

Ads by Google