The new breed of hacker tools techniques
Download
1 / 38

The New Breed of Hacker Tools Techniques - PowerPoint PPT Presentation


  • 353 Views
  • Uploaded on

The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems [email protected] "Crack the Hacker" Challenge Win a key-chain USB Hard Drive! http://searchwebmanagement.discussions.techtarget.com Look for skoudis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The New Breed of Hacker Tools Techniques' - emily


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The new breed of hacker tools techniques l.jpg

The New Breed of Hacker Tools & Techniques

Ed Skoudis

VP, Security Strategy

Predictive Systems

[email protected]


Crack the hacker challenge l.jpg
"Crack the Hacker" Challenge

  • Win a key-chain USB Hard Drive!

  • http://searchwebmanagement.discussions.techtarget.com

  • Look for skoudis

  • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContex[email protected]^4@.ee84438/82!viewtype=threadDate&skip=&expand=

© 2002, Ed Skoudis and Predictive Systems


Key points l.jpg
Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


General trends l.jpg
General Trends

  • The rise of anti-disclosure

    • Full-disclosure has its problems—tell everyone everything

    • Anti-disclosure has a whole new set of problems

    • Famous Microsoft letter on Information Anarchy

    • Driving some things under ground

      • Kiddies don't have everything…

      • …but what is lurking out there?

  • Hacktivism

    • In times of war, attackers can make a political point

  • Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem)

  • A focus on tools getting more stealthy

    • Hiding has tremendous benefits for an attacker

© 2002, Ed Skoudis and Predictive Systems


Key points5 l.jpg
Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Wireless attacks l.jpg
Wireless Attacks

  • Wireless technology is getting much cheaper

  • Base stations for less than $200, with wireless cards under $100

    • IEEE 802.11b standard very popular

    • Employees setting up their own access points so they can roam around the halls

    • Very dangerous!

  • War driving

    • With a laptop and wireless card, an attacker can drive down the street and join many wireless LANs!

© 2002, Ed Skoudis and Predictive Systems


Wireless misconfigurations l.jpg
Wireless Misconfigurations

  • Many wireless access points (a.k.a. base stations) are configured with no security

  • In some installations, users think SSIDs are passwords

    • They are not!

    • Blank or default SSIDs are common

  • Access points often respond to broadcast requests asking for the SSID

  • SSIDs are sent in clear text and can be sniffed

© 2002, Ed Skoudis and Predictive Systems


Netstumbler premier tool for war driving l.jpg
NetStumbler - Premier Tool for War Driving

  • NetStumbler, by Marius Milner

    • http://www.netstumbler.com

    • Windows-based (95, 98, ME, 2000, XP)

      • And PocketPC (Mini Stumbler)… but not NT

© 2002, Ed Skoudis and Predictive Systems


Other tools for war driving l.jpg
Other Tools For War Driving

  • Wi-scan (Perl script)

    • http://www.dis.org/wl/

    • Ties in geography (using GPS) with SSID

  • Airsnort

    • http://airsnort.sourceforge.net/

    • Cracks WEP keys

    • Runs on Linux, requires Prism2 chipset (Linksys), and needs ~500 Meg of data

  • Airopeek

    • www.wildpackets.com/products/airopeek

    • Commercial

© 2002, Ed Skoudis and Predictive Systems


War driving defenses l.jpg
War Driving Defenses

  • Set SSID to difficult-to-guess value

    • Can still be broadcasted, sniffed, or brute forced

    • Not at all effective!!

  • MAC address filtering at access point

    • Wireless card MAC addresses can be spoofed

      • Dsniff supports this

  • Set WEP keys, and rotate them periodically

    • Remember, WEP can be cracked

  • Best Defense - Use Virtual Private Network

    • All data from end system through wireless device to VPN gateway encrypted and authenticated

  • Establish policy for these items

    • Check out www.counterhack.net for examples

© 2002, Ed Skoudis and Predictive Systems


Key points11 l.jpg
Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


What is a buffer overflow l.jpg
What is a Buffer Overflow?

  • Seminal paper on this technique by Aleph One titled “Smashing the Stack for Fun and Profit”

  • Allows an attacker to execute arbitrary commands on your machine

  • Take over system or escalate privileges

    • Get root or admin privileges

  • Based on putting too much information into undersized receptacles

    • Caused by not having proper bounds checking in software

© 2002, Ed Skoudis and Predictive Systems


A normal stack l.jpg
A Normal Stack

Bottom of

Memory

.

.

.

  • Programs call their subroutines, allocating memory space for function variables on the stack

  • The stack is like a scratchpad for storing little items to remember

  • The stack is LIFO

  • The return pointer (RP) contains the address of the original function, so execution can return there when function call is done

Fill

Direction

Buffer 2

(Local Variable 2)

Buffer 1

(Local Variable 1)

Return Pointer

Function Call

Arguments

.

.

.

Top of

Memory

Normal Stack

© 2002, Ed Skoudis and Predictive Systems


Smashing the stack l.jpg
Smashing The Stack

Bottom of

Memory

  • User data is written into the allocated buffer by the function

  • If the data size is not checked, return pointer can be overwritten by user data

  • Attacker places exploit machine code in the buffer and overwrites the return pointer

  • When function returns, attacker’s code is executed

.

.

.

Fill

Direction

Buffer 2

(Local Variable 2)

Machine Code:

execve(/bin/sh)

Buffer 1 Space

is overwritten

Return Pointer

is overwritten

New Pointer to

exec code

Function Call

Arguments

.

.

.

Top of

Memory

Smashed Stack

© 2002, Ed Skoudis and Predictive Systems


Improving the odds that the return pointer will be ok l.jpg
Improving the Odds that the Return Pointer Will be OK

  • Include NOPs in advance of the executable code

    • Then, if your pointer goes to the NOPs, nothing will happen

    • Execution will continue down the stack until it gets to your exploit

    • NOPs can be used to detect these exploits on the network

    • Many ways to do a NOP

NOP

NOP

NOP

NOP

NOP

Machine Code:

execve(/bin/sh)

Buffer 1 Space

is overwritten

Return Pointer

is overwritten

New Pointer to

exec code

Function Call

Arguments

.

.

.

Top of

Memory

Smashed Stack

© 2002, Ed Skoudis and Predictive Systems


Polymorphic buffer overflow l.jpg
Polymorphic Buffer Overflow

  • In April, 2001, ADMutate released by K2

    • http://www.ktwo.ca/security.html

  • ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit

    • Using techniques borrowed from virus writers

  • Works on Intel, Sparc, and HPPA processors

  • Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD

© 2002, Ed Skoudis and Predictive Systems


How admutate works l.jpg
How ADMutate Works

  • We want functionally equivalent code, but with a different appearance

    • "How are you?" vs. "How ya doin'?" vs. "What's up?"

  • Exploit consists of 3 elements

    • NOPs

    • Exec a shell code

    • Return address

NOP

NOP

NOP

NOP

NOP

Machine Code:

execve(/bin/sh)

Pointer to

exec stack code

© 2002, Ed Skoudis and Predictive Systems


Mutation engine l.jpg
Mutation Engine

  • ADMutate alters each of these elements

    • NOP substitution with operationally inert commands

    • Shell code encoded by XORing with a randomly generated key

    • Return address modulated – least significant byte altered to jump into different parts of NOPs

NOP substitute

Another NOP

Yet another NOP

A different NOP

Here's a NOP

XOR'ed Machine Code:

execve(/bin/sh)

Modulated Pointer to

NOP Substitutes

© 2002, Ed Skoudis and Predictive Systems


What about decoding l.jpg
What About Decoding?

  • That’s nice, but how do you decode the XOR'ed shell code?

    • You can't just run it, because it is gibberish until it's decoded

    • So, add some commands that will decode it

    • Can’t the decoder be detected by IDS?

  • The decoder is created using random elements

    • Several different components of decoder (e.g., 1,2,3,4,5,6,7)

    • Various decoder components can be interchanged (e.g., 2-3 or 3-2)

    • Each component can be made up of different machine language commands

  • The decoder itself is polymorphic

NOP substitute

Another NOP

Yet another NOP

A different NOP

Here's a NOP

Polymorphic

XOR Decoder

XOR'ed Machine Code:

execve(/bin/sh)

Modulated Pointer to

NOP Substitutes

© 2002, Ed Skoudis and Predictive Systems


Admutate customizability l.jpg
ADMutate – Customizability!

  • New version allows attacker to apply different weights to generated ASCII equivalents of machine language code

    • Allows attacker to tweak the statistical distribution of resulting characters

    • Makes traffic look more like “standard” for a given protocol, from a statistical perspective

    • Example: more heavily weight characters "<" and ">" in HTTP

    • Narrows the universe of equivalent polymorphs, but still very powerful!

© 2002, Ed Skoudis and Predictive Systems


Admutate defenses l.jpg
ADMutate Defenses

  • Defend against buffer overflows

    • Apply patches – defined process

    • Non-executable system stacks

      • Solaris – OS Setting

      • Linux – www.openwall.com

      • NT/2000 – SecureStack from www.securewave.com

    • Code Review – educate developers

  • Detection: IDS vendors at work on this capability now

    • Snort release in Feb 2002

      • Looks for variations of NOP sled

© 2002, Ed Skoudis and Predictive Systems


Key points22 l.jpg
Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Hidden backdoors l.jpg
Hidden Backdoors

Backdoor

listens

on port

ABC

  • Attacker takes over your system and installs a backdoor to ensure future access

    • Backdoor listens, giving shell access

  • How do you find a backdoor listener?

  • Sometimes, they are discovered by noticing a listening port

    • Nmap port scan across the network

    • Running "netstat –na" locally

    • Running lsof (UNIX) or Inzider (Windows)

Network

© 2002, Ed Skoudis and Predictive Systems


Sniffing backdoors l.jpg
Sniffing Backdoors

  • Who says a backdoor has to wait listening on a port?

  • Attackers don't want to get caught

    • They are increasingly using stealthy backdoors

  • A sniffer can gather the traffic, rather than listening on an open port

    • Non-promiscuous sniffing backdoors

      • Grab traffic just for one host

    • Promiscuous sniffing backdoors

      • Grab all traffic on the LAN

© 2002, Ed Skoudis and Predictive Systems


Non promiscuous backdoor cd00r l.jpg
Non-Promiscuous Backdoor – Cd00r

  • Written by FX

    • http://www.phenoelit.de/stuff/cd00r.c

  • Includes a non-promiscuous sniffer

    • Gathers only packets destined for the single target machine

  • Several packets directed to specific ports (where there is no listener) will trigger the backdoor

    • Sniffer grabs packets, not a listener on the ports

  • Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports

© 2002, Ed Skoudis and Predictive Systems


Non promiscuous backdoor cd00r in action l.jpg
Non-Promiscuous Backdoor – Cd00r in Action

Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z

  • The idea has been extended to eliminate even port 5002

    • Netcat can push back a command shell from server, so no listener ever required

    • Connection goes from server back to client

Server

SYN to port X

SYN to port Y

SYN to port Z

After Z is received, activate temporary listener on port 5002

Connection to root shell on port 5002

© 2002, Ed Skoudis and Predictive Systems


Promiscuous backdoor l.jpg
Promiscuous Backdoor

  • Can be used to help throw off an investigation

  • Attacker sends data for destination on same network

  • But the backdoor isn't located at the destination of the backdoor traffic

    • Huh? How does that work?

© 2002, Ed Skoudis and Predictive Systems


Promiscuous backdoor in action l.jpg
Promiscuous Backdoor in Action

Firewall

WWW

DNS

Sniffer listens for traffic destined for

WWW server

  • Backdoor is located on DNS server

  • All packets sent to WWW server

  • DNS server backdoor sniffs promiscuously

    • In switched environment, attacker may use ARP cache poisoning

  • Confusing for investigators

Internet

© 2002, Ed Skoudis and Predictive Systems


Sniffing backdoor defenses l.jpg
Sniffing Backdoor Defenses

  • Prevent attacker from getting on system in the first place (of course)

  • Know which processes are supposed to be running on the system

    • Especially if they have root privileges!

    • Not easy, but very important

    • Beware of stealthy names (like "UPS" or "SCSI")

  • Look for anomalous traffic

  • Look for sniffers

© 2002, Ed Skoudis and Predictive Systems


Key points30 l.jpg
Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Here come the worms l.jpg
Here Come the Worms!

  • Compromising systems one-by-one can be such a chore

  • Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses

  • Worms automate the process

    • Take over systems

    • Scan for new vulnerable systems

    • Self-replicate by moving across the network to another vulnerable system

    • Each instance of a worm is a “segment”

© 2002, Ed Skoudis and Predictive Systems


2001 year of the worm l.jpg
2001: Year of the Worm?

  • In 2001, we saw:

    • Ramen

    • L10n

    • Cheese

    • Sadmind/IIS

    • Code Red and Code Red II

    • Nimda

  • To date, worms haven’t been nearly as nasty as they could be

  • Most damage is a result of worm resource consumption

  • New generations of worms arrive every 2 to 6 months

© 2002, Ed Skoudis and Predictive Systems


Coming soon super worms l.jpg
Coming Soon - Super Worms

  • 2002 could be even wormier

  • Be on the lookout for very nasty new worms

    • Multi-functional

      • Spread, steal, erase, etc.

    • Multi-platform

      • Win, Linux, Solaris, BSD, AIX, HP-UX…

    • Multi-exploit

      • Many buffer overflows, etc.

    • Zero-Day exploits

      • Just discovered; no patch available

    • Polymorphic

    • Metamorphic

  • We’ve seen many of these pieces, but no one has rolled them all together… yet!

© 2002, Ed Skoudis and Predictive Systems


Worm defenses l.jpg
Worm Defenses

  • Buffer overflow defenses help a lot here

  • Rapidly deploy patches

  • Anti-virus solutions

    • At the desktop…

    • …AND at the mail server

    • …AND at the file server

  • Incident response capabilities, linked with network management

© 2002, Ed Skoudis and Predictive Systems


Key points35 l.jpg
Key Points

  • General Trends

  • War Driving

  • Polymorphic Buffer Overflow

  • Hidden Backdoors

  • Super Worms

  • Conclusions

© 2002, Ed Skoudis and Predictive Systems


Conclusions l.jpg
Conclusions

  • The attack tools continue to get better

  • Attackers are getting stealthier every day

  • But don't fret… we can work diligently to keep up

  • There's no such thing as 100% security

  • Still, by preparing, we can get ready for the bigguns'

© 2002, Ed Skoudis and Predictive Systems


References keeping up l.jpg
References – Keeping Up

  • The web:

    • www.securityfocus.com

    • www.searchsecurity.com

    • www.counterhack.net

  • Books:

    • Hack Counter Hack CD-ROM, Skoudis, 2002

    • Counter Hack, Skoudis, 2001

    • Hacker's Challenge, Schiffman, 2001

    • Hacking Exposed, Kurtz, et al, 2001

© 2002, Ed Skoudis and Predictive Systems


Crack the hacker challenge38 l.jpg
"Crack the Hacker" Challenge

  • Win a key-chain USB Hard Drive!

  • http://searchwebmanagement.discussions.techtarget.com

  • Look for skoudis

  • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContex[email protected]^4@.ee84438/82!viewtype=threadDate&skip=&expand=

© 2002, Ed Skoudis and Predictive Systems


ad