Ed Skoudis

June 6, 2005

Seminar Series

©2005 Ed Skoudis

A Quote from One of History’s Greatest Hackers

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.

—Sun Tzu, The Art of War

©2005 Ed Skoudis

Presentation Outline

Purpose & General Trends

Step 1: Reconnaissance

Step 2: Scanning

Step 3: Gaining Access

Step 4: Maintaining Access

Step 5: Covering the Tracks

Conclusions

The Defiler’s Toolkit

The Defiler’s Toolkit attempt to confuse forensics investigations

First public anti-forensic tool Developed by “The Grugq” Targeted specifically to counter The Coroner’s Toolkit and

only extensively tested for ext2/3 file systems. Six Components

KY FS – Stores data in superblocks / directory structures Warren FS – Stores data in the ext3 journal file Data Mule FS – Stores data in inode reserved space Rune FS – Stores data in Bad Blocks Necrofile Klismafile

©2005 Ed Skoudis

©2005 Ed Skoudis

Defiler’s Toolkit

Data hiding Bad blocks inode points to blocks that don’t function properly Attacker associates good blocks with the bad block inode and

stores data there Carve out a segment of your hard drive and label it “bad” Drive appears smaller, but TCT won’t look in the bad blocks

Data destruction with Necrofile Undelete tools remove just the data, not the meta-data

(inodes and directory entries) Necrofile – scrubs inodes clean, based on deletion time

criteria Data destruction with Klismafile

Directory entries show deleted filenames and sizes Klismafile searches for these entries and scrubs them

Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

Developed by Vinnie Liu and distributed with Metasploit 2.2

Windows Specific with Four Components TimeStomp: MAC Time modification tool Slacker: Tool to hide data in slack space SAM Juicer: Password file extractor Transmogrify: File Signature Modifier

SAM Juicer was renamed PWDump and integrated into Metasploit 3 with TimeStomp

Slacker and Transmogrify were never reliable and discontinued. Transmogrify was never released.

©2005 Ed Skoudis

Meterpreter

Central component in the Metasploit Framework Serves as a payload injected by any of a number of

exploits Opens a covert communication channel with shell

command capabilities Resides exclusively in memory with no residue…

©2005 Ed Skoudis

Anti-Forensic Tools…

Techniques

CANVAS

DECAF – direct response to COFFEE Microsoft and the US Department of Justice have stated

intention to prosecute anyone found to be in unauthorized possession of DECAF

SecurityWizard List

©2005 Ed Skoudis

©2005 Ed Skoudis

Forensics

The Coroner’s Toolkit is very popular, along with its descendent, “The Sleuth Kit” (www.sleuthkit.org) The Coroner’s Toolkit, as cool as it was, is a bit outdated

Turn toward a more recent descendant of TCT, “The Sleuth Kit” to get a better look at forensics data

Use the Autopsy Forensic Browser GUI… In investigations, don’t forget to look in blocks marked

bad! There could be some very useful data hidden in there

Dead vs. Live analysis modes

©2005 Ed Skoudis

Conclusions

Remember good ol’ Sun Tzu Attackers keep improving their capabilities and tools Don’t get discouraged We must keep up with them

Understand their techniques Deploy, maintain, and update effective defenses

Consider it an intellectual challenge… with job security Just remember… It is the Golden Age By remaining diligent, we can secure our systems!