Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security CPSC6128 – Lecture 4 Post Exploitation 1.

Published byCharlotte Conley Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security CPSC6128 – Lecture 4 Post Exploitation 1."— Presentation transcript:

1 Network Security CPSC6128 – Lecture 4 Post Exploitation 1

2 Network Attack Methodology
Recon – Information gathering Scanning – Enumeration Vulnerability Identification Exploit Gaining access Elevating given access Application/Web level attacks Denial of Service (DOS) Post Exploitation Persistence - Maintaining Access Removing Forensic Evidence Exfiltration TODAY’S LECTURE 12

3 Persistence, Trojans, Backdoors

4 Persistence – Maintaining Access
Real attackers attempt to be on the compromised system for a long time The longer the attacker has access, the more damage can be done Some exploits only work one time

5 Startup Service Linux Windows OS X xinetd, initd
registry startup key, windows service OS X cron or plist file for Launchd

6 Trojans Non self replicating “back door” program which runs hidden on the infected computer Can be installed using one of the following methods Non-trusted software download Attachments Application level exploits Executable content on websites (Flash or ActiveX) Trojan can be used to maintain control of the system, access password, keylog, etc.

7 Viruses, Worms Virus Worm Blended Threat
typically attaches itself to another program to enable replication much like a human virus. Worm similar to a virus but by design is self replicating can replicate through a network without the assistance of a human. Blended Threat combines aspect of Trojans viruses and worms CodeRed was a example of a blended threat which at the same time launched DDOS attacks left behind trojans, and was self replicating

8 Trojans – What is the Objective
Typically motivated by financial gain they look for credit card, account data, confidential documents, financial data, etc. Make victims computer become a remote proxy allow for the attacker to mask their tracks for additional attacks Make the infected computer part of a BOTnet plant the ability to launch DDOS type attacks

9 TCP/UDP Port Typically Used by Trojans
Protocol Port Back Oriface UDP 31337 or 31338 Deep Throat 2140 and 3150 NetBus TCP 12345 and 12346 Whack a mole 12361 and 12362 NetBus 2 Pro 20034 GirlFriend 21544 Masters Paradise 3129, 40421, 40422, 40423, 40426

10 Determining which ports are listening
Windows – Start->Run->CMD netstat –an netstat –an |findstr <port number>

11 Proxy Server Trojans Starts a hidden http proxy on the victims computer Uses the victim’s computer as a transit point to attack yet another victim Hides the location of the attacker

12 NetBus Trojan Remote control Trojan program
Allows anyone running the client (control program) to control any machine infected with NetBus Trojan

13 Netcat Written by “Hobbit” Released in March 1996
Currently hosted at: Blindly reads and writes data to and from network connections Often called the “Swiss Army Knife” of network tools Runs on almost all platforms Linux, Windows, OS X, SunOS, Solaris, etc. Working Mode Client mode Listen mode

14 Netcat Client Mode Initiates a network connection StdInput is sent
from the local system to a specified remote network port StdInput is sent to the remote network port using “pipes” Works much like standard “cat” command Returned data is sent to StdOutput Messages from Netcat itself are sent to StdError

15 Netcat Listen Mode It waits for a connection from the network
“-l” option puts Netcat in listen mode Basically take it as a network server Data received from the network is sent to StdOutput Data received from StdInput is sent to the network Messages from Netcat itself are sent to StdError

16 Important Netcat Switches
-l Places Netcat in listen mode -p Specifics the source or local port that Netcat should use -s Source ip address -h Prints help -e Program to execute after connecting -u Use UDP instead of TCP -L Persistent listener in Windows Keeps listening even after nc disconnects Make use of standard IO redirection Use “nc ( >, < or |)” home-macpro:~ kobrien$ nc -h [v1.10] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port]

17 Netcat Uses Data Transfer Backdoors Replay Attacks
Vulnerability Scanning Port Scanning Relays *** Be sure to check out “Counter Hack Reloaded” by Ed Skoudis. Has a very thorough explanation of nc.

18 Example: Netcat Data Transfer
Send a file between two machines Send a file from the nc listener to the nc client Listener: nc –l –p [port] < [filename] Client: nc [listener ip] [port] > [filename] Send a file from the nc client to the nc listener Listener: nc –l –p [port] > [filename] Client: nc [listener IP] [port] < [filename]

19 Example: Netcat Data Transfer from Listener to Client
nc listener nc client

20 Example: Make Connection to Open Port
Better to use in place of telnet nc is faster and it is easier to drop the connection Some raw binary data can be accidently interpreted by telnet nc can do UDP as well as TCP

21 Wrappers So how does one get a Trojan on a machine? Typical method
“wrapping” the Trojan with another executable file which the user runs The two programs are wrapped together into a single file However, the user only sees the exe which was used to wrap the Trojan The Trojan runs in the background

22 Wrappers - Examples

23 Network Steganography for Data Exfiltration

24 Steganography Concept
In Art and science a secret message can be hidden no one other than the sender and receiver is aware of the message Physical steganography Can be dated back to ancient Greece Stories told of tattoos on the heads of slaves Heads can then be shaved to reveal the message

25 Steganography Example
During WWII “microdots” where used extensively to transmit messages. Microdots are small dots which covers a hidden message. KGB Microdot camera for single exposures smaller than 1mm diameter on a special colloid emulsion, size of the camera 7x12mm, the negatives were sent behind stamps and viewed through microscopes Courtesy: WestLicht Auctions

26 Covert Channel The “message” is hidden within the traffic of a legitimate communications channel. Normal Traffic Covert Channel Sender Hiding Process Detection Process Receiver

27 Network Steganography
The “message” is hidden within the traffic of a legitimate communications channel secret info secret info sender receiver Stego Algorithm Channel Detection Algorithm network packet network packet secret key

28 Common Example – Tunnel inside TCP 80
Tunneling Encapsulating one protocol into another protocol Very common method for even legitimate applications Tunnel communications over TCP 80 Other methods include tunneling inside SSH and GRE tunneling Tunneling may causes problems for firewalls Firewalls rely on restricting traffic by IP and source/destination port Application layer firewalls dig deeper into the packets and can filter by the application itself

29 Acknowledgement Number
TCP Header (review) Bit 0 Bit 4 Bit 8 Bit 12 Bit 16 Bit 20 Bit 24 Bit 28 Bit 32 Source Port Destination Port Sequence Number Acknowledgement Number Reserved U A P R S F Window Checksum Urgent Pointer Options and Padding 16 bits that can be used for a covert channel. (note: all bit combos not available as the flags have to present a valid state)

30 covert_tcp Some methods hide data in ‘optional’ fields of a protocol header The preferred method is to hide data in mandatory fields It is more effective Network equipment can easily be programmed to reset or erase ‘optional’ fields covert_tcp was created by Craig Rowland Covert_tcp can hide data in The IP datagram’s ID Field The Sequence number of the TCP segment The ACK number of the TCP segment

31 covert_tcp -- TCP ACK method
IP Identification method Insert a single ASCII character and receive it at the other end TCP Sequence Number method Send SYN with ASCII character as the initial sequence number Reply with a RST RST actually ACKs the receipt of the hidden character TCP ACK # Most covert and sophisticated Sender “bounces” the information off an unwitting intermediate party

32 covert_tcp (TCP ACK method)
Client sends SYN packet to bounce server Source address is spoofed to recipients address ISN # is ASCII # -1 Bounce server responds to receiver Sends SYN ACK or RST Both increment ISN by 1 and ASCII character is received

33 covert_tcp (TCP ACK method)
When using IP Iden mode (default) here is the ASCII to IDENT # encoding Letter Ascii x256 A B D E F G H I J K L M N O P Q R S T U V W X Y Z

34 covert_tcp – Example (sender)

35 covert_tcp – Example (Receiver)

36 Loki Covert channel over ICMP
Attacker install Loki on compromised server Requires root permissions Grabs incoming ICMP packets from the kernel Attacker installs Loki client on a remote machine Data is sent to client lokid using ICMP packets Under the radar of most detection mechanisms since ICMP is commonly allowed, and doesn’t have UDP/TCP ports

37 Loki Can use UDP 53 Can switch between UDP and ICMP on the fly
to disguise as a DNS request Can switch between UDP and ICMP on the fly Encryption supported Blowfish and DH key exchange For details, see handout

38 Reverse WWW Shell Covert channel using HTTP
Can be installed on compromised machine Every 60 seconds it “phones home” and contacts external server It “pulls” in commands and sends over normal HTTP Looks like normal web traffic Same idea used by legitimate software such as GoToMyPC

39 Logging

40 Altering Event Logs Even rootkits may leave traces in log files
With admin privilege Attacker could delete log files But probably a bad idea…very obvious A better idea selectively edit the log files

41 Logs in Windows EventLog is logging server
Files ending with .LOG SECURITY, SYSTEM, APPLICATION This info is moved to main event logs SECEVENT.EVT, SYSEVENT.EVT The .EVT files read by admin using Windows Event Viewer

42 Windows Event Viewer

43 Windows Logs SECEVENT.EVT SYSEVENT.EVT APPEVENT.EVT Failed logins
policy changes attempts to access files without permission, etc. SYSEVENT.EVT E.g. details of driver failures APPEVENT.EVT Application related issues

44 Windows Logs Altering event logs At a minimum must change SECEVENTs
EVT files Are“locked” and Are in a binary format Cannot open/edit with usual tools With physical access Boot to Linux and edit logs Not practical in most cases

45 Windows Logs Event editing tools Winzapper
Attacker can selectively edit EVT files But must reboot machine to restart EventLog service

46 WinZapper

47 Unix Logging Log files usually in ASCII text
With privilege they are easy to edit Config file tells where log files are located Attacker can locate files and edit Also accounting files utmp, wtmp, lastlog Binary files so they are harder to edit

48 Unix Logging Tools to edit accounting files
Many can be found at wtemped Marry Cloak Logedit wzap Accounting file editing tool is standard part of most rootkits

49 Shell History Files List of command line, commands issues
Attacker would like to edit this Files are in ASCII so they are easy to edit Can insert lines Why would this be useful? Edit to shell file written to shell history When shell is exited gracefully How to get around this?

50 Defenses Activate logging Periodically audit logging
Log according to some specified policy Periodically audit logging Allow plenty of space for logs Restrictive permissions on log files Use separate server for logging Logs redirected to logging server Not everything can be redirected

51 Defenses Encrypt log files Make log files “append-only”
Store files on unalterable media Non rewriteable CD/DVD

52 Hidden Files Why would an attacker use hidden files
Store attack tools Save sniffed passwords, etc. What does “hidden” mean? Maybe just hard to find Or easily overlooked

53 Hidden Files In Unix prepend “.” to filename
Use “,” followed by spaces(s) Other ideas?

54 Hidden Files in Windows
Use “hidden” attribute Not great…

55 Hidden Files in Windows

56 Hidden Files in Windows
Alternate Data Streams (ADS) Available in NTFS Multiple streams of data can be associated with a single file These streams can store any info “usual” view is just one such stream Fairly effective means of hiding files c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe (? Need to try it ) Will fork anyfile.exe with the windows calc file Calculator will still work fine!

57 Defenses File integrity checking Host based IDS
In Windows, use ADS aware tools CrucialADS, LADS

58 Example Attacks

59 Example – Operation Aurora - 2009
Targeted user received a link in or instant message from trusted source User clicks on link, visits website with malicious Javascript Exploit downloads a binary disguised as an image from servers and executes the payload Payload sets up long term backdoor and connects back to command and control servers Attackers target intellectual property and source code control system. Reference: McAfee Report – Protecting YourCritcal Assets

60 Example – RSA Breach Phishing targeted two small groups of employees Excel spreadsheet contained Zero Day exploit in Adobe Flash After exploitation of victims machine Poison Ivy RAT tool installed Reverse TCP to attackers command and control server (C&C) Attackers then moved laterally in the organization

61 Posion Ivy

62 Questions??

Download ppt "Network Security CPSC6128 – Lecture 4 Post Exploitation 1."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
Covering Tracks and Hiding 1 Covering Tracks and Hiding.

Covering Tracks and Hiding 1 Covering Tracks and Hiding.

Similar presentations

Ads by Google