The new breed of hacker tools techniques l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 38

The New Breed of Hacker Tools & Techniques PowerPoint PPT Presentation

The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems [email protected] "Crack the Hacker" Challenge Win a key-chain USB Hard Drive! http://searchwebmanagement.discussions.techtarget.com Look for skoudis

Download Presentation

The New Breed of Hacker Tools & Techniques

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The new breed of hacker tools techniques l.jpg

The New Breed of Hacker Tools & Techniques

Ed Skoudis

VP, Security Strategy

Predictive Systems

[email protected]


Crack the hacker challenge l.jpg

"Crack the Hacker" Challenge

  • Win a key-chain USB Hard Drive!

  • http://searchwebmanagement.discussions.techtarget.com

  • Look for skoudis

  • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContex[email protected]^4@.ee84438/82!viewtype=threadDate&skip=&expand=

© 2002, Ed Skoudis and Predictive Systems


Key points l.jpg

Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


General trends l.jpg

General Trends

  • The rise of anti-disclosure

    • Full-disclosure has its problems—tell everyone everything

    • Anti-disclosure has a whole new set of problems

    • Famous Microsoft letter on Information Anarchy

    • Driving some things under ground

      • Kiddies don't have everything…

      • …but what is lurking out there?

  • Hacktivism

    • In times of war, attackers can make a political point

  • Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem)

  • A focus on tools getting more stealthy

    • Hiding has tremendous benefits for an attacker

© 2002, Ed Skoudis and Predictive Systems


Key points5 l.jpg

Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Wireless attacks l.jpg

Wireless Attacks

  • Wireless technology is getting much cheaper

  • Base stations for less than $200, with wireless cards under $100

    • IEEE 802.11b standard very popular

    • Employees setting up their own access points so they can roam around the halls

    • Very dangerous!

  • War driving

    • With a laptop and wireless card, an attacker can drive down the street and join many wireless LANs!

© 2002, Ed Skoudis and Predictive Systems


Wireless misconfigurations l.jpg

Wireless Misconfigurations

  • Many wireless access points (a.k.a. base stations) are configured with no security

  • In some installations, users think SSIDs are passwords

    • They are not!

    • Blank or default SSIDs are common

  • Access points often respond to broadcast requests asking for the SSID

  • SSIDs are sent in clear text and can be sniffed

© 2002, Ed Skoudis and Predictive Systems


Netstumbler premier tool for war driving l.jpg

NetStumbler - Premier Tool for War Driving

  • NetStumbler, by Marius Milner

    • http://www.netstumbler.com

    • Windows-based (95, 98, ME, 2000, XP)

      • And PocketPC (Mini Stumbler)… but not NT

© 2002, Ed Skoudis and Predictive Systems


Other tools for war driving l.jpg

Other Tools For War Driving

  • Wi-scan (Perl script)

    • http://www.dis.org/wl/

    • Ties in geography (using GPS) with SSID

  • Airsnort

    • http://airsnort.sourceforge.net/

    • Cracks WEP keys

    • Runs on Linux, requires Prism2 chipset (Linksys), and needs ~500 Meg of data

  • Airopeek

    • www.wildpackets.com/products/airopeek

    • Commercial

© 2002, Ed Skoudis and Predictive Systems


War driving defenses l.jpg

War Driving Defenses

  • Set SSID to difficult-to-guess value

    • Can still be broadcasted, sniffed, or brute forced

    • Not at all effective!!

  • MAC address filtering at access point

    • Wireless card MAC addresses can be spoofed

      • Dsniff supports this

  • Set WEP keys, and rotate them periodically

    • Remember, WEP can be cracked

  • Best Defense - Use Virtual Private Network

    • All data from end system through wireless device to VPN gateway encrypted and authenticated

  • Establish policy for these items

    • Check out www.counterhack.net for examples

© 2002, Ed Skoudis and Predictive Systems


Key points11 l.jpg

Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


What is a buffer overflow l.jpg

What is a Buffer Overflow?

  • Seminal paper on this technique by Aleph One titled “Smashing the Stack for Fun and Profit”

  • Allows an attacker to execute arbitrary commands on your machine

  • Take over system or escalate privileges

    • Get root or admin privileges

  • Based on putting too much information into undersized receptacles

    • Caused by not having proper bounds checking in software

© 2002, Ed Skoudis and Predictive Systems


A normal stack l.jpg

A Normal Stack

Bottom of

Memory

.

.

.

  • Programs call their subroutines, allocating memory space for function variables on the stack

  • The stack is like a scratchpad for storing little items to remember

  • The stack is LIFO

  • The return pointer (RP) contains the address of the original function, so execution can return there when function call is done

Fill

Direction

Buffer 2

(Local Variable 2)

Buffer 1

(Local Variable 1)

Return Pointer

Function Call

Arguments

.

.

.

Top of

Memory

Normal Stack

© 2002, Ed Skoudis and Predictive Systems


Smashing the stack l.jpg

Smashing The Stack

Bottom of

Memory

  • User data is written into the allocated buffer by the function

  • If the data size is not checked, return pointer can be overwritten by user data

  • Attacker places exploit machine code in the buffer and overwrites the return pointer

  • When function returns, attacker’s code is executed

.

.

.

Fill

Direction

Buffer 2

(Local Variable 2)

Machine Code:

execve(/bin/sh)

Buffer 1 Space

is overwritten

Return Pointer

is overwritten

New Pointer to

exec code

Function Call

Arguments

.

.

.

Top of

Memory

Smashed Stack

© 2002, Ed Skoudis and Predictive Systems


Improving the odds that the return pointer will be ok l.jpg

Improving the Odds that the Return Pointer Will be OK

  • Include NOPs in advance of the executable code

    • Then, if your pointer goes to the NOPs, nothing will happen

    • Execution will continue down the stack until it gets to your exploit

    • NOPs can be used to detect these exploits on the network

    • Many ways to do a NOP

NOP

NOP

NOP

NOP

NOP

Machine Code:

execve(/bin/sh)

Buffer 1 Space

is overwritten

Return Pointer

is overwritten

New Pointer to

exec code

Function Call

Arguments

.

.

.

Top of

Memory

Smashed Stack

© 2002, Ed Skoudis and Predictive Systems


Polymorphic buffer overflow l.jpg

Polymorphic Buffer Overflow

  • In April, 2001, ADMutate released by K2

    • http://www.ktwo.ca/security.html

  • ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit

    • Using techniques borrowed from virus writers

  • Works on Intel, Sparc, and HPPA processors

  • Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD

© 2002, Ed Skoudis and Predictive Systems


How admutate works l.jpg

How ADMutate Works

  • We want functionally equivalent code, but with a different appearance

    • "How are you?" vs. "How ya doin'?" vs. "What's up?"

  • Exploit consists of 3 elements

    • NOPs

    • Exec a shell code

    • Return address

NOP

NOP

NOP

NOP

NOP

Machine Code:

execve(/bin/sh)

Pointer to

exec stack code

© 2002, Ed Skoudis and Predictive Systems


Mutation engine l.jpg

Mutation Engine

  • ADMutate alters each of these elements

    • NOP substitution with operationally inert commands

    • Shell code encoded by XORing with a randomly generated key

    • Return address modulated – least significant byte altered to jump into different parts of NOPs

NOP substitute

Another NOP

Yet another NOP

A different NOP

Here's a NOP

XOR'ed Machine Code:

execve(/bin/sh)

Modulated Pointer to

NOP Substitutes

© 2002, Ed Skoudis and Predictive Systems


What about decoding l.jpg

What About Decoding?

  • That’s nice, but how do you decode the XOR'ed shell code?

    • You can't just run it, because it is gibberish until it's decoded

    • So, add some commands that will decode it

    • Can’t the decoder be detected by IDS?

  • The decoder is created using random elements

    • Several different components of decoder (e.g., 1,2,3,4,5,6,7)

    • Various decoder components can be interchanged (e.g., 2-3 or 3-2)

    • Each component can be made up of different machine language commands

  • The decoder itself is polymorphic

NOP substitute

Another NOP

Yet another NOP

A different NOP

Here's a NOP

Polymorphic

XOR Decoder

XOR'ed Machine Code:

execve(/bin/sh)

Modulated Pointer to

NOP Substitutes

© 2002, Ed Skoudis and Predictive Systems


Admutate customizability l.jpg

ADMutate – Customizability!

  • New version allows attacker to apply different weights to generated ASCII equivalents of machine language code

    • Allows attacker to tweak the statistical distribution of resulting characters

    • Makes traffic look more like “standard” for a given protocol, from a statistical perspective

    • Example: more heavily weight characters "<" and ">" in HTTP

    • Narrows the universe of equivalent polymorphs, but still very powerful!

© 2002, Ed Skoudis and Predictive Systems


Admutate defenses l.jpg

ADMutate Defenses

  • Defend against buffer overflows

    • Apply patches – defined process

    • Non-executable system stacks

      • Solaris – OS Setting

      • Linux – www.openwall.com

      • NT/2000 – SecureStack from www.securewave.com

    • Code Review – educate developers

  • Detection: IDS vendors at work on this capability now

    • Snort release in Feb 2002

      • Looks for variations of NOP sled

© 2002, Ed Skoudis and Predictive Systems


Key points22 l.jpg

Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Hidden backdoors l.jpg

Hidden Backdoors

Backdoor

listens

on port

ABC

  • Attacker takes over your system and installs a backdoor to ensure future access

    • Backdoor listens, giving shell access

  • How do you find a backdoor listener?

  • Sometimes, they are discovered by noticing a listening port

    • Nmap port scan across the network

    • Running "netstat –na" locally

    • Running lsof (UNIX) or Inzider (Windows)

Network

© 2002, Ed Skoudis and Predictive Systems


Sniffing backdoors l.jpg

Sniffing Backdoors

  • Who says a backdoor has to wait listening on a port?

  • Attackers don't want to get caught

    • They are increasingly using stealthy backdoors

  • A sniffer can gather the traffic, rather than listening on an open port

    • Non-promiscuous sniffing backdoors

      • Grab traffic just for one host

    • Promiscuous sniffing backdoors

      • Grab all traffic on the LAN

© 2002, Ed Skoudis and Predictive Systems


Non promiscuous backdoor cd00r l.jpg

Non-Promiscuous Backdoor – Cd00r

  • Written by FX

    • http://www.phenoelit.de/stuff/cd00r.c

  • Includes a non-promiscuous sniffer

    • Gathers only packets destined for the single target machine

  • Several packets directed to specific ports (where there is no listener) will trigger the backdoor

    • Sniffer grabs packets, not a listener on the ports

  • Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports

© 2002, Ed Skoudis and Predictive Systems


Non promiscuous backdoor cd00r in action l.jpg

Non-Promiscuous Backdoor – Cd00r in Action

Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z

  • The idea has been extended to eliminate even port 5002

    • Netcat can push back a command shell from server, so no listener ever required

    • Connection goes from server back to client

Server

SYN to port X

SYN to port Y

SYN to port Z

After Z is received, activate temporary listener on port 5002

Connection to root shell on port 5002

© 2002, Ed Skoudis and Predictive Systems


Promiscuous backdoor l.jpg

Promiscuous Backdoor

  • Can be used to help throw off an investigation

  • Attacker sends data for destination on same network

  • But the backdoor isn't located at the destination of the backdoor traffic

    • Huh? How does that work?

© 2002, Ed Skoudis and Predictive Systems


Promiscuous backdoor in action l.jpg

Promiscuous Backdoor in Action

Firewall

WWW

DNS

Sniffer listens for traffic destined for

WWW server

  • Backdoor is located on DNS server

  • All packets sent to WWW server

  • DNS server backdoor sniffs promiscuously

    • In switched environment, attacker may use ARP cache poisoning

  • Confusing for investigators

Internet

© 2002, Ed Skoudis and Predictive Systems


Sniffing backdoor defenses l.jpg

Sniffing Backdoor Defenses

  • Prevent attacker from getting on system in the first place (of course)

  • Know which processes are supposed to be running on the system

    • Especially if they have root privileges!

    • Not easy, but very important

    • Beware of stealthy names (like "UPS" or "SCSI")

  • Look for anomalous traffic

  • Look for sniffers

© 2002, Ed Skoudis and Predictive Systems


Key points30 l.jpg

Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Here come the worms l.jpg

Here Come the Worms!

  • Compromising systems one-by-one can be such a chore

  • Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses

  • Worms automate the process

    • Take over systems

    • Scan for new vulnerable systems

    • Self-replicate by moving across the network to another vulnerable system

    • Each instance of a worm is a “segment”

© 2002, Ed Skoudis and Predictive Systems


2001 year of the worm l.jpg

2001: Year of the Worm?

  • In 2001, we saw:

    • Ramen

    • L10n

    • Cheese

    • Sadmind/IIS

    • Code Red and Code Red II

    • Nimda

  • To date, worms haven’t been nearly as nasty as they could be

  • Most damage is a result of worm resource consumption

  • New generations of worms arrive every 2 to 6 months

© 2002, Ed Skoudis and Predictive Systems


Coming soon super worms l.jpg

Coming Soon - Super Worms

  • 2002 could be even wormier

  • Be on the lookout for very nasty new worms

    • Multi-functional

      • Spread, steal, erase, etc.

    • Multi-platform

      • Win, Linux, Solaris, BSD, AIX, HP-UX…

    • Multi-exploit

      • Many buffer overflows, etc.

    • Zero-Day exploits

      • Just discovered; no patch available

    • Polymorphic

    • Metamorphic

  • We’ve seen many of these pieces, but no one has rolled them all together… yet!

© 2002, Ed Skoudis and Predictive Systems


Worm defenses l.jpg

Worm Defenses

  • Buffer overflow defenses help a lot here

  • Rapidly deploy patches

  • Anti-virus solutions

    • At the desktop…

    • …AND at the mail server

    • …AND at the file server

  • Incident response capabilities, linked with network management

© 2002, Ed Skoudis and Predictive Systems


Key points35 l.jpg

Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Conclusions l.jpg

Conclusions

  • The attack tools continue to get better

  • Attackers are getting stealthier every day

  • But don't fret… we can work diligently to keep up

  • There's no such thing as 100% security

  • Still, by preparing, we can get ready for the bigguns'

© 2002, Ed Skoudis and Predictive Systems


References keeping up l.jpg

References – Keeping Up

  • The web:

    • www.securityfocus.com

    • www.searchsecurity.com

    • www.counterhack.net

  • Books:

    • Hack Counter Hack CD-ROM, Skoudis, 2002

    • Counter Hack, Skoudis, 2001

    • Hacker's Challenge, Schiffman, 2001

    • Hacking Exposed, Kurtz, et al, 2001

© 2002, Ed Skoudis and Predictive Systems


Crack the hacker challenge38 l.jpg

"Crack the Hacker" Challenge

  • Win a key-chain USB Hard Drive!

  • http://searchwebmanagement.discussions.techtarget.com

  • Look for skoudis

  • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContex[email protected]^4@.ee84438/82!viewtype=threadDate&skip=&expand=

© 2002, Ed Skoudis and Predictive Systems


  • Login