1 / 44

Seminar Series Breaking News – The Latest Computer Attacks and Defenses

Seminar Series Breaking News – The Latest Computer Attacks and Defenses. Ed Skoudis June 6, 2003. Presentation Outline. Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions.

arva
Download Presentation

Seminar Series Breaking News – The Latest Computer Attacks and Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Seminar SeriesBreaking News – The Latest Computer Attacks and Defenses Ed Skoudis June 6, 2003

  2. Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions ©2003 Ed Skoudis

  3. A Quote from One of History’s Greatest Hackers • If you know the enemy and know yourself, you need not fear the result of a hundred battles. • If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. • If you know neither the enemy nor yourself, you will succumb in every battle. —Sun Tzu, The Art of War ©2003 Ed Skoudis

  4. Purpose • We’re not here to teach you how to hack.… • However, to defend yourself, you must understand your adversaries’ strategies and tactics • We will discuss prominent recent advances in computer attack techniques… • …To gain an understanding of how to defend against new attacks • We are not endorsing these attack tools • But you have to be ready to defend against them • We will also discuss a variety of useful defensive tools… but check to make sure you have permission to use them! Talk to the system owners… ©2003 Ed Skoudis

  5. General Trends – The Storm after the Quiet • For six months, we saw a major drop in the release of new vulnerabilities and attack tools after September 11, 2001 • Shock over terrorism • Fear of law enforcement and PATRIOT Act • Concern about DMCA Sept 11, 2001 March 2002 Now The gloves are off! Major new attacks and tools Relatively quiet ©2003 Ed Skoudis

  6. General Trends – Software Distro Site Attacks • Trojaning software distribution sites • Hack into web/ftp site and alter software to include backdoor • Everyone who downloads and uses the tool is impacted! • May, 2002: issri.org - IRC client compromised • May 17-24, 2002: Monkey.org - Dsniff, Fragroute, and Fragrouter hacking tools compromised • July 30 – August 1, 2002: Openssh.org, OpenSSH security tool compromised • Sept 28 - Oct 6, 2002: ftp.sendmail.org, sendmail mail server compromised • Nov 11-13, 2002: tcpdump.org, tcpdump sniffer and libpcap • Some pretty big names have fallen to this attack! • What to do? • Check hashes… across multiple mirrors • Don’t put new software directly into production… test first! ©2003 Ed Skoudis

  7. Tcpdump Trojan Admin downloads Trojan Horse version of tcpdump and/or libpcap package Attacker’s Web Server 1 3 4 Download and Run Generate, compile, and execute tcpdump install package 2 configure script services script Attacker types commands here for execution on victim’s machine C program 5 Victim’s System Poll for control character, A, D, or M On TCP port 1963 6 backdoor If D character, run shell and shovel input to attacker Shovel shell across network 7 shell ©2003 Ed Skoudis

  8. Tcpdump Trojan Horse Details • Interesting Notes: • A, D, and M for commands… where do those characters come from? • Why TCP port 1963? • Similarity to sendmail Trojan and others • Shoveling shell, pushing out a connection that is really incoming command shell access • More easily gets through firewalls • The sniffer itself won’t show traffic destined for the backdoor (OUCH!) ©2003 Ed Skoudis

  9. Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions ©2003 Ed Skoudis

  10. Reconnaissance • Many Script Kiddies skip this step • The best attackers do comprehensive reconnaissance • Adrian Lamo claims that Google is is favorite hacking tool • Useful public information is plentiful • Admin names, addresses, phone numbers, financial info, business partners • Job requisitions • Technologies in use, IP addresses, DNS servers, network topology, open ports, etc… • Portals for reconnaissance and attacks • www.allwhois.com - Registration data for over 66 countries • www.samspade.org - Ping, DNS, traceroute, etc. • www.attackportal.net - Misc. recon and attack tools ©2003 Ed Skoudis

  11. Reconnaissance Defenses • Look for information leakage from your systems before the bad guys find it • Conduct reconnaissance against your own environment • Use the same tools as the bad guys… but be careful! • If you use their web sites or tools for searches, they could monitor your actions • Probably best not to do this from your production network • Do it from a separate ISP ©2003 Ed Skoudis

  12. Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions ©2003 Ed Skoudis

  13. Why Port Scanning? • TCP and UDP each have ports • Servers listen on ports • They act like doors - Data goes out one port and into another port • Attacker wants to know which ports are open • Let’s focus on TCP port scanning • Most common protocol on top of IP… it’s used by HTTP, telnet, FTP, and many other services • TCP uses the three-way handshake SYN B A SYN-ACK ACK Connection ©2003 Ed Skoudis

  14. “Normal” Port Scanning • Attackers send SYN packets, and watch for SYN-ACK responses to indicate a listening port • Downside for attacker: The scan can be traced back to the attacker’s machine using the source IP address SYN to TCP Port 1 TARGET SYN to TCP Port 2 SYN to TCP Port 3 Eureka! Port 3 is Listening! SYN-ACK from Port 3 ©2003 Ed Skoudis

  15. What if Attacker Spoofs Source Address? • Not very useful, because SYN-ACK responses don’t come back to attacker • The attacker can’t figure out if the port is open or closed, so the port scan is a waste of time Syn to TCP Port 1 Syn to TCP Port 2 TARGET Syn to TCP Port 3 SYN-ACK from Port 3 RESET!!! Response goesto the address the attacker is spoofing. ©2003 Ed Skoudis

  16. IP Identification Field Predictability… Vers Hlen Svc Type Total Length Identification Flags Frag Offset TTL Protocol Header Checksum Source IP Address Destination IP Address IP Options (if any) Padding Data ….. • The IP Identification field in the IP Header is used for packet fragmentation • Used to group all fragments together for packet reassembly • If there are no fragments, theIP stack assigns some value to this field • When some systems send packets, they just increment the IP ID fieldby one for each packet • Each packet gets an IP ID valuethat is one bigger than previouspacket’s value ©2003 Ed Skoudis

  17. Predictable IP ID – Idle Scans in Nmap TARGET 3 Remember IP ID = X 2 SYN-ACK, with IP ID = X 1 SYN Machine That Gets Framed ©2003 Ed Skoudis

  18. IP Identification Scanning(A.K.A. “Idle” Scanning) • ANALYZE STEP 8! • If IP ID of step 8 is X+2, the port is listening. • If IP ID of step 8 is X+1, the port is closed. Spoofed Syn to TCP Port 3 TARGET 4 7 5 SYN 6 SYN-ACK from Port 3 RESET, IP ID = X+1 8 Machine That Gets Framed SYN-ACK ©2003 Ed Skoudis

  19. Scanning - Paketto Keiretsu • Suite of tools for doing TCP/IP tricks • By Dan Kaminsky • Released October 8, 2002 • Available at http://www.doxpara.com/ • One capability: Very rapid port scanning • Separate the packet sender process from receiver • Sender transmits packets as quickly as network will carry them • Receiver sniffs responses • Sender and receiver out of synch, but that’s ok • The idea could be extended… Attacker Rcvr Sndr SYN- ACKs SYNs ©2003 Ed Skoudis

  20. Port Scanning Defenses • Action item: • Run netstat –na to see what’s listening (on UNIX and Windows) • Alternatively, use Fport on Windows and Lsof on UNIX • For those services you don’t need, close unused ports • Disable unneeded services • In Windows: Check StartProgramsAdministrative ToolsServices • In UNIX: Check /etc/rc.d/init.d and /etc/xinetd • For incident handling, realize that these scans are possible ©2003 Ed Skoudis

  21. Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions ©2003 Ed Skoudis

  22. Gaining Access – Detailed Code Analysis Tools • Consider recent months – major holes in Apache, Internet Explorer, OpenSSL, OpenSSH, Sendmail, Snort… the list keeps growing! • We’ve seen a recent revolution in detailed vulnerability analysis tools • Used to find buffer overflows, heap overflows, etc. • Think of these tools as X-Rays or microscopes to look inside executable code at a fine grained level • Look for common mistakes that let an attacker take over a system • Step through machine language code, line by line • To learn more about such tools, check out the Honeynet Project Reverse Challenge at: • http://www.honeynet.org/reverse/ ©2003 Ed Skoudis

  23. Code Analysis Tools - Windows ©2003 Ed Skoudis

  24. Code Analysis Tools - UNIX ©2003 Ed Skoudis

  25. Code Analysis Tools - Both • People used to say that closed source was more secure because attacker’s couldn’t analyze it as much • This is increasingly less true because of tools like these! ©2003 Ed Skoudis

  26. SQL Slammer • So, how are they propagating their exploits? • Increasingly, they are using worms • Remember SQL Slammer? • January, 2003: Fast-spreading worm on the rampage • Patch SQL Server! • Am I running it? • Very hard to tell • Many products use it, and Microsoft doesn’t make it easy to detect ©2003 Ed Skoudis

  27. SQL Slammer Impact • Took much of South Korea off of the Internet for several hours • Ironically, this limited its spread • By clogging links, the worm couldn’t spread as quickly to the outside world • One Emergency 911 call center was taken off line • Over 13,000 ATM (Money Machines) offline in North America • Some airlines cancelled a few flights ©2003 Ed Skoudis

  28. SQL Slammer Characteristics • Why did SQL Slammer cause such damage? • People didn’t know they were running the Microsoft SQL service • Fast spread via small size and UDP • Only 376 bytes • Attacked Microsoft SQL Service which uses UDP ©2003 Ed Skoudis

  29. Worm Efficiencies and TCP vs. UDP • To establish sequence numbers, TCP uses a three-way handshake to initiate a connection • UDP doesn’t… SYN SYN-ACK ACK Connection Packet A Packet ©2003 Ed Skoudis

  30. UDP-based Worms • Analogy: Spreading a cold in Grand Central Station • TCP: Shake everyone’s hand… • UDP: Lob infected ping pong balls Three-way Handshake Worm Spread via TCP Worm Spread via UDP ©2003 Ed Skoudis

  31. Defenses Against Code Flaws & Worms • Keep your systems patched, with a well-defined process for: • Learning about new patch availability • Acquiring and authenticating patches • Testing patches in a non-production environment • Rolling patches into production • Write secure code! • Education of software developers • Good book for Windows: Writing Secure Code, by Howard and Leblanc • Good stuff for UNIX: http://www.dwheeler.com/secure-programs/ by D. Wheeler • Automated software checking tools • ITS4: www.cigital.com/its4/download.html • RATS: www.securesoftware.com/rats.php • Flawfinder: www.dwheeler.com/flawfinder/ ©2003 Ed Skoudis

  32. Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions ©2003 Ed Skoudis

  33. Trojan Horse Backdoors Application-level Traditional RootKit Kernel-level RootKit Evil App good login good ps good ifconfig good tripwire Trojan login Trojan ps Trojan ifconfig good tripwire good program good program good program good program Kernel Trojan Kernel Module Kernel Kernel ©2003 Ed Skoudis

  34. Maintaining Access – Trojan Horse Backdoors • New even stealthier Application-Level Trojan Horse Backdoors • Setiri Written by Roelof Temmingh and Haroon Meer • Code shown August, 2002; no release scheduled • Standard functions • Upload file, execute program, download file • Uses invisible IE browser window and OLE to communicate with browser to send data to attacker over HTTPS • If personal firewall allows browser to send traffic to the Internet, backdoor can communicate with attacker • Also gets through NAT, proxies, and stateful firewalls ©2003 Ed Skoudis

  35. Setiri Architecture HTTPS HTTPS Connection Broker (Web Server with Attacker’s CGIs) Anony- mizer Anony- mizer HTTPS HTTPS .. Firewall STEP 1: Attacker somehow installs Setiri on victim machine Attacker Victim ©2003 Ed Skoudis

  36. Kernel Level RootKits • An area that continues to get attacker’s attention is the kernel-level RootKit • By operating in the kernel, the attacker has complete control of the target machine • Hidden processes • Hidden files • Hidden network use (sniffing and port listeners) • Execution redirection • Three ways of implementing • Loadable Kernel Module • Patch kernel image on hard drive • Alter kernel in memory on running system! Yikes!!! ©2003 Ed Skoudis

  37. Maintaining Access Defenses • Block access to Anonymizer.com • Works for base Setiri tool and relatives, but attacker could use another anonymous proxy or connection broker • Still, it’s a pretty reasonable idea • Anti-virus tools • Look for signatures in near future • Browser vendors (ahem…) possibly looking at limiting actions of invisible browser • Additionally, protect your kernel! • St. Michael for Linux, by Tim Lawless, at www.sourceforge.net • Okena and Entercept for Windows and Solaris ©2003 Ed Skoudis

  38. Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions ©2003 Ed Skoudis

  39. Covering Tracks withThe Defiler’s Toolkit • Forensics now faces… anti-forensics • The Coroner’s Toolkit is very popular, along with its descendent, TASK (www.atstake.com) • The Defiler’s Toolkit attempt to confuse forensics investigations • Targets Linux Ext2fs file system, but ideas could be extended to other platforms • By anonymous, released July, 2002 • Available at http://www.phrack.com/show.php?p=59&a=6 ©2003 Ed Skoudis

  40. Defiler’s Toolkit • Data hiding • Bad blocks inode points to blocks that don’t function properly • Attacker associates good blocks with the bad block inode and stores data there • Carve out a segment of your hard drive and label it “bad” • Drive appears smaller, but TCT won’t look in the bad blocks • Data destruction with Necrofile • Undelete tools remove just the data, not the meta-data (inodes and directory entries) • Necrofile – scrubs inodes clean, based on deletion time criteria • Data destruction with Klismafile • Directory entries show deleted filenames and sizes • Klismafile searches for these entries and scrubs them ©2003 Ed Skoudis

  41. Defending Against The Defiler’s Toolkit • The Coroner’s Toolkit, as cool as it was, is a bit outdated • Turn toward a more recent descendant of TCT, TASK to get a better look at forensics data • In investigations, don’t forget to look in blocks marked bad! • There could be some very useful data hidden in there ©2003 Ed Skoudis

  42. Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions ©2003 Ed Skoudis

  43. Conclusions • Remember good ol’ Sun Tzu • Attackers keep improving their capabilities and tools • Don’t get discouraged • We must keep up with them • Understand their techniques • Deploy, maintain, and update effective defenses • Consider it an intellectual challenge… with job security • Just remember… It is the Golden Age • By remaining diligent, we can secure our systems! ©2003 Ed Skoudis

  44. References – Keeping Up • The web: • www.sans.org • www.securityfocus.com • www.counterhack.net • Test your knowledge while having fun! • Monthly “Crack the Hacker” Challenge • www.counterhack.net • Willie Wonka and the Chocolate Hackery (Feb, 2003) • Hack to the Future (January, 2003) • How the Grinch Hacked Christmas (December, 2002) • Spider-Hack (November, 2002) • Robin Hack, Prince of Thieves (October, 2002) • The Princess Hack (September, 2002) • Crackers, Admins, and Sploits... Oh My! (July, 2002) • HACK WARS, Episode IV, A New Hack (June, 2002) • Backdoor Shell Game Face/Off (May, 2002) ©2003 Ed Skoudis

More Related