CPSC 6128 - Network Security Persistence Maintaining Access
Real attackers attempt to be on the compromised system for a long
time The longer the attacker has access, the more damage can be
done Some exploits only work one time 4
Slide 5
CPSC 6128 - Network Security Startup Service Linux xinetd,
initd Windows registry startup key, windows service OS X cron or
plist file for Launchd 5
Slide 6
CPSC 6128 - Network Security Trojans Non self replicating back
door program which runs hidden on the infected computer Can be
installed using one of the following methods Non-trusted software
download Email Attachments Application level exploits Executable
content on websites (Flash or ActiveX) Trojan can be used to
maintain control of the system, access password, keylog, etc.
6
Slide 7
CPSC 6128 - Network Security Viruses, Worms Virus typically
attaches itself to another program to enable replication much like
a human virus. Worm similar to a virus but by design is self
replicating can replicate through a network without the assistance
of a human. Blended Threat combines aspect of Trojans viruses and
worms CodeRed was a example of a blended threat which at the same
time launched DDOS attacks left behind trojans, and was self
replicating 7
Slide 8
CPSC 6128 - Network Security Trojans What is the Objective
Typically motivated by financial gain they look for credit card,
account data, confidential documents, financial data, etc. Make
victims computer become a remote proxy allow for the attacker to
mask their tracks for additional attacks Make the infected computer
part of a BOTnet plant the ability to launch DDOS type attacks
8
Slide 9
CPSC 6128 - Network Security TCP/UDP Port Typically Used by
Trojans TrojanProtocolPort Back OrifaceUDP31337 or 31338 Deep
ThroatUDP2140 and 3150 NetBusTCP12345 and 12346 Whack a
moleTCP12361 and 12362 NetBus 2 ProTCP20034 GirlFriendTCP21544
Masters ParadiseTCP3129, 40421, 40422, 40423, 40426 9
Slide 10
CPSC 6128 - Network Security Determining which ports are
listening Windows Start->Run->CMD netstat an netstat an
|findstr 10
Slide 11
CPSC 6128 - Network Security Proxy Server Trojans Starts a
hidden http proxy on the victims computer Uses the victims computer
as a transit point to attack yet another victim Hides the location
of the attacker 11
Slide 12
CPSC 6128 - Network Security NetBus Trojan Remote control
Trojan program Allows anyone running the client (control program)
to control any machine infected with NetBus Trojan 12
Slide 13
CPSC 6128 - Network Security Netcat Written by Hobbit Released
in March 1996 Currently hosted at:
http://netcat.sourceforge.net/http://netcat.sourceforge.net/
Blindly reads and writes data to and from network connections Often
called the Swiss Army Knife of network tools Runs on almost all
platforms Linux, Windows, OS X, SunOS, Solaris, etc. Working Mode
Client mode Listen mode 13
Slide 14
CPSC 6128 - Network Security 14 Netcat Client Mode Initiates a
network connection from the local system to a specified remote
network port StdInput is sent to the remote network port using
pipes Works much like standard cat command Returned data is sent to
StdOutput Messages from Netcat itself are sent to StdError
Slide 15
CPSC 6128 - Network Security Netcat Listen Mode It waits for a
connection from the network -l option puts Netcat in listen mode
Basically take it as a network server Data received from the
network is sent to StdOutput Data received from StdInput is sent to
the network Messages from Netcat itself are sent to StdError
15
Slide 16
CPSC 6128 - Network Security Important Netcat Switches -l
Places Netcat in listen mode -p Specifics the source or local port
that Netcat should use -s Source ip address -h Prints help -e
Program to execute after connecting -u Use UDP instead of TCP -L
Persistent listener in Windows Keeps listening even after nc
disconnects Make use of standard IO redirection Use nc ( >, <
or |) home-macpro:~ kobrien$ nc -h [v1.10] connect to somewhere: nc
[-options] hostname port[s] [ports]... listen for inbound: nc -l -p
port [-options] [hostname] [port] 16
Slide 17
CPSC 6128 - Network Security Netcat Uses Data Transfer
Backdoors Replay Attacks Vulnerability Scanning Port Scanning
Relays *** Be sure to check out Counter Hack Reloaded by Ed
Skoudis. Has a very thorough explanation of nc. 17
Slide 18
CPSC 6128 - Network Security Example: Netcat Data Transfer Send
a file between two machines Send a file from the nc listener to the
nc client Listener: nc l p [port] < [filename] Client: nc
[listener ip] [port] > [filename] Send a file from the nc client
to the nc listener Listener: nc l p [port] > [filename] Client:
nc [listener IP] [port] < [filename] 18
Slide 19
CPSC 6128 - Network Security Example: Netcat Data Transfer from
Listener to Client 19 nc listener nc client
Slide 20
CPSC 6128 - Network Security Example: Make Connection to Open
Port Better to use in place of telnet nc is faster and it is easier
to drop the connection Some raw binary data can be accidently
interpreted by telnet nc can do UDP as well as TCP 20
Slide 21
CPSC 6128 - Network Security Wrappers So how does one get a
Trojan on a machine? Typical method wrapping the Trojan with
another executable file which the user runs The two programs are
wrapped together into a single file However, the user only sees the
exe which was used to wrap the Trojan The Trojan runs in the
background 21
CPSC 6128 - Network Security Network Steganography for Data
Exfiltration 23
Slide 24
CPSC 6128 - Network Security Steganography Concept In Art and
science a secret message can be hidden no one other than the sender
and receiver is aware of the message Physical steganography Can be
dated back to ancient Greece Stories told of tattoos on the heads
of slaves Heads can then be shaved to reveal the message 24
Slide 25
CPSC 6128 - Network Security Steganography Example During WWII
microdots where used extensively to transmit messages. Microdots
are small dots which covers a hidden message. 25 KGB Microdot
camera for single exposures smaller than 1mm diameter on a special
colloid emulsion, size of the camera 7x12mm, the negatives were
sent behind stamps and viewed through microscopes Courtesy:
WestLicht Auctions
Slide 26
CPSC 6128 - Network Security Covert Channel The message is
hidden within the traffic of a legitimate communications channel.
26 Sender Receiver Hiding Process Detection Process Covert Channel
Normal Traffic
Slide 27
CPSC 6128 - Network Security Network Steganography The message
is hidden within the traffic of a legitimate communications channel
27 Stego Algorithm Stego Algorithm Detection Algorithm Detection
Algorithm Channel secret key senderreceiver secret info network
packet network packet
Slide 28
CPSC 6128 - Network Security Common Example Tunnel inside TCP
80 Tunneling Encapsulating one protocol into another protocol Very
common method for even legitimate applications Tunnel
communications over TCP 80 Other methods include tunneling inside
SSH and GRE tunneling Tunneling may causes problems for firewalls
Firewalls rely on restricting traffic by IP and source/destination
port Application layer firewalls dig deeper into the packets and
can filter by the application itself 28
Slide 29
CPSC 6128 - Network Security TCP Header (review) 29 Bit 0Bit
4Bit 8Bit 12Bit 16Bit 20Bit 24Bit 28Bit 32 Source PortDestination
Port Sequence Number Acknowledgement Number ReservedUAPRSFWindow
ChecksumUrgent Pointer Options and Padding 16 bits that can be used
for a covert channel. (note: all bit combos not available as the
flags have to present a valid state)
Slide 30
CPSC 6128 - Network Security covert_tcp Some methods hide data
in optional fields of a protocol header The preferred method is to
hide data in mandatory fields It is more effective Network
equipment can easily be programmed to reset or erase optional
fields covert_tcp was created by Craig Rowland
http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/528/449
Covert_tcp can hide data in The IP datagrams ID Field The Sequence
number of the TCP segment The ACK number of the TCP segment 30
Slide 31
CPSC 6128 - Network Security covert_tcp -- TCP ACK method IP
Identification method Insert a single ASCII character and receive
it at the other end TCP Sequence Number method Send SYN with ASCII
character as the initial sequence number Reply with a RST RST
actually ACKs the receipt of the hidden character TCP ACK # Most
covert and sophisticated Sender bounces the information off an
unwitting intermediate party 31
Slide 32
CPSC 6128 - Network Security covert_tcp (TCP ACK method) Client
sends SYN packet to bounce server Source address is spoofed to
recipients address ISN # is ASCII # -1 Bounce server responds to
receiver Sends SYN ACK or RST Both increment ISN by 1 and ASCII
character is received 32
Slide 33
CPSC 6128 - Network Security covert_tcp (TCP ACK method) Letter
Ascii x256 A 65 16640 B 66 16896 D 68 17408 E 69 17664 F 70 17920 G
71 18176 H 72 18432 I 73 18688 J 74 18944 K 75 19200 L 76 19456 M
77 19712 33 N 78 19968 O 79 20224 P 80 20480 Q 81 20736 R 82 20992
S 83 21248 T 84 21504 U 85 21760 V 86 22016 W 87 22272 X 88 22528 Y
89 22784 Z 90 23040 When using IP Iden mode (default) here is the
ASCII to IDENT # encoding
Slide 34
CPSC 6128 - Network Security covert_tcp Example (sender)
34
Slide 35
CPSC 6128 - Network Security covert_tcp Example (Receiver)
35
Slide 36
CPSC 6128 - Network Security Loki Covert channel over ICMP
Attacker install Loki on compromised server Requires root
permissions Grabs incoming ICMP packets from the kernel Attacker
installs Loki client on a remote machine Data is sent to client
lokid using ICMP packets Under the radar of most detection
mechanisms since ICMP is commonly allowed, and doesnt have UDP/TCP
ports 36
Slide 37
CPSC 6128 - Network Security Loki Can use UDP 53 to disguise as
a DNS request Can switch between UDP and ICMP on the fly Encryption
supported Blowfish and DH key exchange For details, see handout
37
Slide 38
CPSC 6128 - Network Security Reverse WWW Shell Covert channel
using HTTP Can be installed on compromised machine Every 60 seconds
it phones home and contacts external server It pulls in commands
and sends over normal HTTP Looks like normal web traffic Same idea
used by legitimate software such as GoToMyPC 38
Slide 39
CPSC 6128 - Network Security Logging 39
Slide 40
CPSC 6128 - Network Security Altering Event Logs Even rootkits
may leave traces in log files With admin privilege Attacker could
delete log files But probably a bad ideavery obvious A better idea
selectively edit the log files 40
Slide 41
CPSC 6128 - Network Security Logs in Windows EventLog is
logging server Files ending with.LOG SECURITY, SYSTEM, APPLICATION
This info is moved to main event logs SECEVENT.EVT, SYSEVENT.EVT
The.EVT files read by admin using Windows Event Viewer 41
Slide 42
CPSC 6128 - Network Security Windows Event Viewer 42
Slide 43
CPSC 6128 - Network Security Windows Logs SECEVENT.EVT Failed
logins policy changes attempts to access files without permission,
etc. SYSEVENT.EVT E.g. details of driver failures APPEVENT.EVT
Application related issues 43
Slide 44
CPSC 6128 - Network Security Windows Logs Altering event logs
At a minimum must change SECEVENTs EVT files Arelocked and Are in a
binary format Cannot open/edit with usual tools With physical
access Boot to Linux and edit logs Not practical in most cases
44
Slide 45
CPSC 6128 - Network Security Windows Logs Event editing tools
Winzapper Attacker can selectively edit EVT files But must reboot
machine to restart EventLog service 45
Slide 46
CPSC 6128 - Network Security WinZapper 46
Slide 47
CPSC 6128 - Network Security Unix Logging Log files usually in
ASCII text With privilege they are easy to edit Config file tells
where log files are located Attacker can locate files and edit Also
accounting files utmp, wtmp, lastlog Binary files so they are
harder to edit 47
Slide 48
CPSC 6128 - Network Security Unix Logging Tools to edit
accounting files Many can be found at
http://packetstormsecurity.orghttp://packetstormsecurity.org
wtemped Marry Cloak Logedit wzap Accounting file editing tool is
standard part of most rootkits 48
Slide 49
CPSC 6128 - Network Security Shell History Files List of
command line, commands issues Attacker would like to edit this
Files are in ASCII so they are easy to edit Can insert lines Why
would this be useful? Edit to shell file written to shell history
When shell is exited gracefully How to get around this? 49
Slide 50
CPSC 6128 - Network Security Defenses Activate logging Log
according to some specified policy Periodically audit logging Allow
plenty of space for logs Restrictive permissions on log files Use
separate server for logging Logs redirected to logging server Not
everything can be redirected 50
Slide 51
CPSC 6128 - Network Security Defenses Encrypt log files Make
log files append-only Store files on unalterable media Non
rewriteable CD/DVD 51
Slide 52
CPSC 6128 - Network Security Hidden Files Why would an attacker
use hidden files Store attack tools Save sniffed passwords, etc.
What does hidden mean? Maybe just hard to find Or easily overlooked
52
Slide 53
CPSC 6128 - Network Security Hidden Files In Unix prepend . to
filename Use , followed by spaces(s) Other ideas? 53
Slide 54
CPSC 6128 - Network Security Hidden Files in Windows Use hidden
attribute Not great 54
Slide 55
CPSC 6128 - Network Security Hidden Files in Windows 55
Slide 56
CPSC 6128 - Network Security Hidden Files in Windows Alternate
Data Streams (ADS) Available in NTFS Multiple streams of data can
be associated with a single file These streams can store any info
usual view is just one such stream Fairly effective means of hiding
files 56 c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe
(? Need to try it ) Will fork anyfile.exe with the windows calc
file Calculator will still work fine!
Slide 57
CPSC 6128 - Network Security Defenses File integrity checking
Host based IDS In Windows, use ADS aware tools CrucialADS, LADS
57
Slide 58
CPSC 6128 - Network Security Example Attacks 58
Slide 59
CPSC 6128 - Network Security Example Operation Aurora - 2009
Targeted user received a link in email or instant message from
trusted source User clicks on link, visits website with malicious
Javascript Exploit downloads a binary disguised as an image from
servers and executes the payload Payload sets up long term backdoor
and connects back to command and control servers Attackers target
intellectual property and source code control system. Reference:
McAfee Report Protecting YourCritcal Assets
http://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf
59
Slide 60
CPSC 6128 - Network Security Example RSA Breach - 2011 Phishing
targeted two small groups of employees Excel spreadsheet contained
Zero Day exploit in Adobe Flash After exploitation of victims
machine Poison Ivy RAT tool installed Reverse TCP to attackers
command and control server (C&C) Attackers then moved laterally
in the organization 60