The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems

© 2002, Ed Skoudis and Predictive Systems "Crack the Hacker" Challenge Win a key-chain USB Hard Drive! rget.com rget.com Look for skoudis Or, Just go to: xpand=

© 2002, Ed Skoudis and Predictive Systems Key Points General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions

© 2002, Ed Skoudis and Predictive Systems General Trends The rise of anti-disclosure Full-disclosure has its problemstell everyone everything Anti-disclosure has a whole new set of problems Famous Microsoft letter on Information Anarchy Driving some things under ground Kiddies don't have everything… …but what is lurking out there? Hacktivism In times of war, attackers can make a political point Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem) A focus on tools getting more stealthy Hiding has tremendous benefits for an attacker

© 2002, Ed Skoudis and Predictive Systems Key Points General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions

© 2002, Ed Skoudis and Predictive Systems Wireless Attacks Wireless technology is getting much cheaper Base stations for less than $200, with wireless cards under $100 IEEE b standard very popular Employees setting up their own access points so they can roam around the halls Very dangerous! War driving With a laptop and wireless card, an attacker can drive down the street and join many wireless LANs!

© 2002, Ed Skoudis and Predictive Systems Wireless Misconfigurations Many wireless access points (a.k.a. base stations) are configured with no security In some installations, users think SSIDs are passwords They are not! Blank or default SSIDs are common Access points often respond to broadcast requests asking for the SSID SSIDs are sent in clear text and can be sniffed

© 2002, Ed Skoudis and Predictive Systems NetStumbler - Premier Tool for War Driving NetStumbler, by Marius Milner Windows-based (95, 98, ME, 2000, XP) And PocketPC (Mini Stumbler)… but not NT

© 2002, Ed Skoudis and Predictive Systems Other Tools For War Driving Wi-scan (Perl script) Ties in geography (using GPS) with SSID Airsnort Cracks WEP keys Runs on Linux, requires Prism2 chipset (Linksys), and needs ~500 Meg of data Airopeek Commercial

© 2002, Ed Skoudis and Predictive Systems War Driving Defenses Set SSID to difficult-to-guess value Can still be broadcasted, sniffed, or brute forced Not at all effective!! MAC address filtering at access point Wireless card MAC addresses can be spoofed Dsniff supports this Set WEP keys, and rotate them periodically Remember, WEP can be cracked Best Defense - Use Virtual Private Network All data from end system through wireless device to VPN gateway encrypted and authenticated Establish policy for these items Check out for exampleswww.counterhack.net

© 2002, Ed Skoudis and Predictive Systems Key Points General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions

© 2002, Ed Skoudis and Predictive Systems What is a Buffer Overflow? Seminal paper on this technique by Aleph One titled Smashing the Stack for Fun and Profit Allows an attacker to execute arbitrary commands on your machine Take over system or escalate privileges Get root or admin privileges Based on putting too much information into undersized receptacles Caused by not having proper bounds checking in software

© 2002, Ed Skoudis and Predictive Systems A Normal Stack Programs call their subroutines, allocating memory space for function variables on the stack The stack is like a scratchpad for storing little items to remember The stack is LIFO The return pointer (RP) contains the address of the original function, so execution can return there when function call is done Top of Memory Bottom of Memory Function Call Arguments Return Pointer Buffer 1 (Local Variable 1) Buffer 2 (Local Variable 2) Fill Direction Normal Stack

© 2002, Ed Skoudis and Predictive Systems Smashing The Stack User data is written into the allocated buffer by the function If the data size is not checked, return pointer can be overwritten by user data Attacker places exploit machine code in the buffer and overwrites the return pointer When function returns, attackers code is executed Top of Memory Bottom of Memory Function Call Arguments New Pointer to exec code Machine Code: execve(/bin/sh) Buffer 2 (Local Variable 2) Smashed Stack Buffer 1 Space is overwritten Fill Direction Return Pointer is overwritten

© 2002, Ed Skoudis and Predictive Systems Improving the Odds that the Return Pointer Will be OK Include NOPs in advance of the executable code Then, if your pointer goes to the NOPs, nothing will happen Execution will continue down the stack until it gets to your exploit NOPs can be used to detect these exploits on the network Many ways to do a NOP Smashed Stack Top of Memory Function Call Arguments New Pointer to exec code NOP Machine Code: execve(/bin/sh) Buffer 1 Space is overwritten Return Pointer is overwritten

© 2002, Ed Skoudis and Predictive Systems Polymorphic Buffer Overflow In April, 2001, ADMutate released by K2 ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit Using techniques borrowed from virus writers Works on Intel, Sparc, and HPPA processors Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD

© 2002, Ed Skoudis and Predictive Systems How ADMutate Works We want functionally equivalent code, but with a different appearance "How are you?" vs. "How ya doin'?" vs. "What's up?" Exploit consists of 3 elements NOPs Exec a shell code Return address Pointer to exec stack code NOP Machine Code: execve(/bin/sh)

© 2002, Ed Skoudis and Predictive Systems Mutation Engine ADMutate alters each of these elements NOP substitution with operationally inert commands Shell code encoded by XORing with a randomly generated key Return address modulated – least significant byte altered to jump into different parts of NOPs Modulated Pointer to NOP Substitutes NOP substitute Another NOP Yet another NOP A different NOP Here's a NOP XOR'ed Machine Code: execve(/bin/sh)

© 2002, Ed Skoudis and Predictive Systems What About Decoding? Thats nice, but how do you decode the XOR'ed shell code? You can't just run it, because it is gibberish until it's decoded So, add some commands that will decode it Cant the decoder be detected by IDS? The decoder is created using random elements Several different components of decoder (e.g., 1,2,3,4,5,6,7) Various decoder components can be interchanged (e.g., 2-3 or 3-2) Each component can be made up of different machine language commands The decoder itself is polymorphic Modulated Pointer to NOP Substitutes NOP substitute Another NOP Yet another NOP A different NOP Here's a NOP XOR'ed Machine Code: execve(/bin/sh) Polymorphic XOR Decoder

© 2002, Ed Skoudis and Predictive Systems ADMutate – Customizability! New version allows attacker to apply different weights to generated ASCII equivalents of machine language code Allows attacker to tweak the statistical distribution of resulting characters Makes traffic look more like standard for a given protocol, from a statistical perspective Example: more heavily weight characters " " in HTTP Narrows the universe of equivalent polymorphs, but still very powerful!

© 2002, Ed Skoudis and Predictive Systems ADMutate Defenses Defend against buffer overflows Apply patches – defined process Non-executable system stacks Solaris – OS Setting Linux – NT/2000 – SecureStack from Code Review – educate developers Detection: IDS vendors at work on this capability now Snort release in Feb 2002 Looks for variations of NOP sled

© 2002, Ed Skoudis and Predictive Systems Key Points General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions

© 2002, Ed Skoudis and Predictive Systems Hidden Backdoors Attacker takes over your system and installs a backdoor to ensure future access Backdoor listens, giving shell access How do you find a backdoor listener? Sometimes, they are discovered by noticing a listening port Nmap port scan across the network Running "netstat –na" locally Running lsof (UNIX) or Inzider (Windows) Network Backdoor listens on port ABC

© 2002, Ed Skoudis and Predictive Systems Sniffing Backdoors Who says a backdoor has to wait listening on a port? Attackers don't want to get caught They are increasingly using stealthy backdoors A sniffer can gather the traffic, rather than listening on an open port Non-promiscuous sniffing backdoors Grab traffic just for one host Promiscuous sniffing backdoors Grab all traffic on the LAN

© 2002, Ed Skoudis and Predictive Systems Non-Promiscuous Backdoor – Cd00r Written by FX Includes a non-promiscuous sniffer Gathers only packets destined for the single target machine Several packets directed to specific ports (where there is no listener) will trigger the backdoor Sniffer grabs packets, not a listener on the ports Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports

© 2002, Ed Skoudis and Predictive Systems Non-Promiscuous Backdoor – Cd00r in Action The idea has been extended to eliminate even port 5002 Netcat can push back a command shell from server, so no listener ever required Connection goes from server back to client Server SYN to port X Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z SYN to port Y SYN to port Z After Z is received, activate temporary listener on port 5002 Connection to root shell on port 5002

© 2002, Ed Skoudis and Predictive Systems Promiscuous Backdoor Can be used to help throw off an investigation Attacker sends data for destination on same network But the backdoor isn't located at the destination of the backdoor traffic Huh? How does that work?

© 2002, Ed Skoudis and Predictive Systems Promiscuous Backdoor in Action Backdoor is located on DNS server All packets sent to WWW server DNS server backdoor sniffs promiscuously In switched environment, attacker may use ARP cache poisoning Confusing for investigators Firewall DNS WWW Internet Sniffer listens for traffic destined for WWW server

© 2002, Ed Skoudis and Predictive Systems Sniffing Backdoor Defenses Prevent attacker from getting on system in the first place (of course) Know which processes are supposed to be running on the system Especially if they have root privileges! Not easy, but very important Beware of stealthy names (like "UPS" or "SCSI") Look for anomalous traffic Look for sniffers

© 2002, Ed Skoudis and Predictive Systems Key Points General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions

© 2002, Ed Skoudis and Predictive Systems Here Come the Worms! Compromising systems one-by-one can be such a chore Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses Worms automate the process Take over systems Scan for new vulnerable systems Self-replicate by moving across the network to another vulnerable system Each instance of a worm is a segment

© 2002, Ed Skoudis and Predictive Systems 2001: Year of the Worm? In 2001, we saw: Ramen L10n Cheese Sadmind/IIS Code Red and Code Red II Nimda To date, worms havent been nearly as nasty as they could be Most damage is a result of worm resource consumption New generations of worms arrive every 2 to 6 months

© 2002, Ed Skoudis and Predictive Systems Coming Soon - Super Worms 2002 could be even wormier Be on the lookout for very nasty new worms Multi-functional Spread, steal, erase, etc. Multi-platform Win, Linux, Solaris, BSD, AIX, HP-UX… Multi-exploit Many buffer overflows, etc. Zero-Day exploits Just discovered; no patch available Polymorphic Metamorphic Weve seen many of these pieces, but no one has rolled them all together… yet!

© 2002, Ed Skoudis and Predictive Systems Worm Defenses Buffer overflow defenses help a lot here Rapidly deploy patches Anti-virus solutions At the desktop… …AND at the mail server …AND at the file server Incident response capabilities, linked with network management

© 2002, Ed Skoudis and Predictive Systems Key Points General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions

© 2002, Ed Skoudis and Predictive Systems Conclusions The attack tools continue to get better Attackers are getting stealthier every day But don't fret… we can work diligently to keep up There's no such thing as 100% security Still, by preparing, we can get ready for the bigguns'

© 2002, Ed Skoudis and Predictive Systems References – Keeping Up The web: Books: Hack Counter Hack CD-ROM, Skoudis, 2002 Counter Hack, Skoudis, 2001 Hacker's Challenge, Schiffman, 2001 Hacking Exposed, Kurtz, et al, 2001

© 2002, Ed Skoudis and Predictive Systems "Crack the Hacker" Challenge Win a key-chain USB Hard Drive! rget.com Look for skoudis Or, Just go to: xpand=