the new breed of hacker tools techniques l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The New Breed of Hacker Tools & Techniques PowerPoint Presentation
Download Presentation
The New Breed of Hacker Tools & Techniques

Loading in 2 Seconds...

play fullscreen
1 / 38

The New Breed of Hacker Tools & Techniques - PowerPoint PPT Presentation


  • 367 Views
  • Uploaded on

The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems ed.skoudis@predictive.com "Crack the Hacker" Challenge Win a key-chain USB Hard Drive! http://searchwebmanagement.discussions.techtarget.com Look for skoudis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The New Breed of Hacker Tools & Techniques' - emily


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the new breed of hacker tools techniques

The New Breed of Hacker Tools & Techniques

Ed Skoudis

VP, Security Strategy

Predictive Systems

ed.skoudis@predictive.com

crack the hacker challenge
"Crack the Hacker" Challenge
  • Win a key-chain USB Hard Drive!
  • http://searchwebmanagement.discussions.techtarget.com
  • Look for skoudis
  • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContext@239.9Tybafylj90^4@.ee84438/82!viewtype=threadDate&skip=&expand=

© 2002, Ed Skoudis and Predictive Systems

key points
Key Points
  • General Trends
  • War Driving
  • Polymorphic Buffer Overflow
  • Hidden Backdoors
  • Super Worms
  • Conclusions

© 2002, Ed Skoudis and Predictive Systems

general trends
General Trends
  • The rise of anti-disclosure
    • Full-disclosure has its problems—tell everyone everything
    • Anti-disclosure has a whole new set of problems
    • Famous Microsoft letter on Information Anarchy
    • Driving some things under ground
      • Kiddies don't have everything…
      • …but what is lurking out there?
  • Hacktivism
    • In times of war, attackers can make a political point
  • Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem)
  • A focus on tools getting more stealthy
    • Hiding has tremendous benefits for an attacker

© 2002, Ed Skoudis and Predictive Systems

key points5
Key Points
  • General Trends
  • War Driving
  • Polymorphic Buffer Overflow
  • Hidden Backdoors
  • Super Worms
  • Conclusions

© 2002, Ed Skoudis and Predictive Systems

wireless attacks
Wireless Attacks
  • Wireless technology is getting much cheaper
  • Base stations for less than $200, with wireless cards under $100
    • IEEE 802.11b standard very popular
    • Employees setting up their own access points so they can roam around the halls
    • Very dangerous!
  • War driving
    • With a laptop and wireless card, an attacker can drive down the street and join many wireless LANs!

© 2002, Ed Skoudis and Predictive Systems

wireless misconfigurations
Wireless Misconfigurations
  • Many wireless access points (a.k.a. base stations) are configured with no security
  • In some installations, users think SSIDs are passwords
    • They are not!
    • Blank or default SSIDs are common
  • Access points often respond to broadcast requests asking for the SSID
  • SSIDs are sent in clear text and can be sniffed

© 2002, Ed Skoudis and Predictive Systems

netstumbler premier tool for war driving
NetStumbler - Premier Tool for War Driving
  • NetStumbler, by Marius Milner
    • http://www.netstumbler.com
    • Windows-based (95, 98, ME, 2000, XP)
      • And PocketPC (Mini Stumbler)… but not NT

© 2002, Ed Skoudis and Predictive Systems

other tools for war driving
Other Tools For War Driving
  • Wi-scan (Perl script)
    • http://www.dis.org/wl/
    • Ties in geography (using GPS) with SSID
  • Airsnort
    • http://airsnort.sourceforge.net/
    • Cracks WEP keys
    • Runs on Linux, requires Prism2 chipset (Linksys), and needs ~500 Meg of data
  • Airopeek
    • www.wildpackets.com/products/airopeek
    • Commercial

© 2002, Ed Skoudis and Predictive Systems

war driving defenses
War Driving Defenses
  • Set SSID to difficult-to-guess value
    • Can still be broadcasted, sniffed, or brute forced
    • Not at all effective!!
  • MAC address filtering at access point
    • Wireless card MAC addresses can be spoofed
      • Dsniff supports this
  • Set WEP keys, and rotate them periodically
    • Remember, WEP can be cracked
  • Best Defense - Use Virtual Private Network
    • All data from end system through wireless device to VPN gateway encrypted and authenticated
  • Establish policy for these items
    • Check out www.counterhack.net for examples

© 2002, Ed Skoudis and Predictive Systems

key points11
Key Points
  • General Trends
  • War Driving
  • Polymorphic Buffer Overflow
  • Hidden Backdoors
  • Super Worms
  • Conclusions

© 2002, Ed Skoudis and Predictive Systems

what is a buffer overflow
What is a Buffer Overflow?
  • Seminal paper on this technique by Aleph One titled “Smashing the Stack for Fun and Profit”
  • Allows an attacker to execute arbitrary commands on your machine
  • Take over system or escalate privileges
    • Get root or admin privileges
  • Based on putting too much information into undersized receptacles
    • Caused by not having proper bounds checking in software

© 2002, Ed Skoudis and Predictive Systems

a normal stack
A Normal Stack

Bottom of

Memory

.

.

.

  • Programs call their subroutines, allocating memory space for function variables on the stack
  • The stack is like a scratchpad for storing little items to remember
  • The stack is LIFO
  • The return pointer (RP) contains the address of the original function, so execution can return there when function call is done

Fill

Direction

Buffer 2

(Local Variable 2)

Buffer 1

(Local Variable 1)

Return Pointer

Function Call

Arguments

.

.

.

Top of

Memory

Normal Stack

© 2002, Ed Skoudis and Predictive Systems

smashing the stack
Smashing The Stack

Bottom of

Memory

  • User data is written into the allocated buffer by the function
  • If the data size is not checked, return pointer can be overwritten by user data
  • Attacker places exploit machine code in the buffer and overwrites the return pointer
  • When function returns, attacker’s code is executed

.

.

.

Fill

Direction

Buffer 2

(Local Variable 2)

Machine Code:

execve(/bin/sh)

Buffer 1 Space

is overwritten

Return Pointer

is overwritten

New Pointer to

exec code

Function Call

Arguments

.

.

.

Top of

Memory

Smashed Stack

© 2002, Ed Skoudis and Predictive Systems

improving the odds that the return pointer will be ok
Improving the Odds that the Return Pointer Will be OK
  • Include NOPs in advance of the executable code
    • Then, if your pointer goes to the NOPs, nothing will happen
    • Execution will continue down the stack until it gets to your exploit
    • NOPs can be used to detect these exploits on the network
    • Many ways to do a NOP

NOP

NOP

NOP

NOP

NOP

Machine Code:

execve(/bin/sh)

Buffer 1 Space

is overwritten

Return Pointer

is overwritten

New Pointer to

exec code

Function Call

Arguments

.

.

.

Top of

Memory

Smashed Stack

© 2002, Ed Skoudis and Predictive Systems

polymorphic buffer overflow
Polymorphic Buffer Overflow
  • In April, 2001, ADMutate released by K2
    • http://www.ktwo.ca/security.html
  • ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit
    • Using techniques borrowed from virus writers
  • Works on Intel, Sparc, and HPPA processors
  • Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD

© 2002, Ed Skoudis and Predictive Systems

how admutate works
How ADMutate Works
  • We want functionally equivalent code, but with a different appearance
    • "How are you?" vs. "How ya doin'?" vs. "What's up?"
  • Exploit consists of 3 elements
    • NOPs
    • Exec a shell code
    • Return address

NOP

NOP

NOP

NOP

NOP

Machine Code:

execve(/bin/sh)

Pointer to

exec stack code

© 2002, Ed Skoudis and Predictive Systems

mutation engine
Mutation Engine
  • ADMutate alters each of these elements
    • NOP substitution with operationally inert commands
    • Shell code encoded by XORing with a randomly generated key
    • Return address modulated – least significant byte altered to jump into different parts of NOPs

NOP substitute

Another NOP

Yet another NOP

A different NOP

Here's a NOP

XOR'ed Machine Code:

execve(/bin/sh)

Modulated Pointer to

NOP Substitutes

© 2002, Ed Skoudis and Predictive Systems

what about decoding
What About Decoding?
  • That’s nice, but how do you decode the XOR'ed shell code?
    • You can't just run it, because it is gibberish until it's decoded
    • So, add some commands that will decode it
    • Can’t the decoder be detected by IDS?
  • The decoder is created using random elements
    • Several different components of decoder (e.g., 1,2,3,4,5,6,7)
    • Various decoder components can be interchanged (e.g., 2-3 or 3-2)
    • Each component can be made up of different machine language commands
  • The decoder itself is polymorphic

NOP substitute

Another NOP

Yet another NOP

A different NOP

Here's a NOP

Polymorphic

XOR Decoder

XOR'ed Machine Code:

execve(/bin/sh)

Modulated Pointer to

NOP Substitutes

© 2002, Ed Skoudis and Predictive Systems

admutate customizability
ADMutate – Customizability!
  • New version allows attacker to apply different weights to generated ASCII equivalents of machine language code
    • Allows attacker to tweak the statistical distribution of resulting characters
    • Makes traffic look more like “standard” for a given protocol, from a statistical perspective
    • Example: more heavily weight characters "<" and ">" in HTTP
    • Narrows the universe of equivalent polymorphs, but still very powerful!

© 2002, Ed Skoudis and Predictive Systems

admutate defenses
ADMutate Defenses
  • Defend against buffer overflows
    • Apply patches – defined process
    • Non-executable system stacks
      • Solaris – OS Setting
      • Linux – www.openwall.com
      • NT/2000 – SecureStack from www.securewave.com
    • Code Review – educate developers
  • Detection: IDS vendors at work on this capability now
    • Snort release in Feb 2002
      • Looks for variations of NOP sled

© 2002, Ed Skoudis and Predictive Systems

key points22
Key Points
  • General Trends
  • War Driving
  • Polymorphic Buffer Overflow
  • Hidden Backdoors
  • Super Worms
  • Conclusions

© 2002, Ed Skoudis and Predictive Systems

hidden backdoors
Hidden Backdoors

Backdoor

listens

on port

ABC

  • Attacker takes over your system and installs a backdoor to ensure future access
    • Backdoor listens, giving shell access
  • How do you find a backdoor listener?
  • Sometimes, they are discovered by noticing a listening port
    • Nmap port scan across the network
    • Running "netstat –na" locally
    • Running lsof (UNIX) or Inzider (Windows)

Network

© 2002, Ed Skoudis and Predictive Systems

sniffing backdoors
Sniffing Backdoors
  • Who says a backdoor has to wait listening on a port?
  • Attackers don't want to get caught
    • They are increasingly using stealthy backdoors
  • A sniffer can gather the traffic, rather than listening on an open port
    • Non-promiscuous sniffing backdoors
      • Grab traffic just for one host
    • Promiscuous sniffing backdoors
      • Grab all traffic on the LAN

© 2002, Ed Skoudis and Predictive Systems

non promiscuous backdoor cd00r
Non-Promiscuous Backdoor – Cd00r
  • Written by FX
    • http://www.phenoelit.de/stuff/cd00r.c
  • Includes a non-promiscuous sniffer
    • Gathers only packets destined for the single target machine
  • Several packets directed to specific ports (where there is no listener) will trigger the backdoor
    • Sniffer grabs packets, not a listener on the ports
  • Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports

© 2002, Ed Skoudis and Predictive Systems

non promiscuous backdoor cd00r in action
Non-Promiscuous Backdoor – Cd00r in Action

Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z

  • The idea has been extended to eliminate even port 5002
    • Netcat can push back a command shell from server, so no listener ever required
    • Connection goes from server back to client

Server

SYN to port X

SYN to port Y

SYN to port Z

After Z is received, activate temporary listener on port 5002

Connection to root shell on port 5002

© 2002, Ed Skoudis and Predictive Systems

promiscuous backdoor
Promiscuous Backdoor
  • Can be used to help throw off an investigation
  • Attacker sends data for destination on same network
  • But the backdoor isn't located at the destination of the backdoor traffic
    • Huh? How does that work?

© 2002, Ed Skoudis and Predictive Systems

promiscuous backdoor in action
Promiscuous Backdoor in Action

Firewall

WWW

DNS

Sniffer listens for traffic destined for

WWW server

  • Backdoor is located on DNS server
  • All packets sent to WWW server
  • DNS server backdoor sniffs promiscuously
    • In switched environment, attacker may use ARP cache poisoning
  • Confusing for investigators

Internet

© 2002, Ed Skoudis and Predictive Systems

sniffing backdoor defenses
Sniffing Backdoor Defenses
  • Prevent attacker from getting on system in the first place (of course)
  • Know which processes are supposed to be running on the system
    • Especially if they have root privileges!
    • Not easy, but very important
    • Beware of stealthy names (like "UPS" or "SCSI")
  • Look for anomalous traffic
  • Look for sniffers

© 2002, Ed Skoudis and Predictive Systems

key points30
Key Points
  • General Trends
  • War Driving
  • Polymorphic Buffer Overflow
  • Hidden Backdoors
  • Super Worms
  • Conclusions

© 2002, Ed Skoudis and Predictive Systems

here come the worms
Here Come the Worms!
  • Compromising systems one-by-one can be such a chore
  • Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses
  • Worms automate the process
    • Take over systems
    • Scan for new vulnerable systems
    • Self-replicate by moving across the network to another vulnerable system
    • Each instance of a worm is a “segment”

© 2002, Ed Skoudis and Predictive Systems

2001 year of the worm
2001: Year of the Worm?
  • In 2001, we saw:
    • Ramen
    • L10n
    • Cheese
    • Sadmind/IIS
    • Code Red and Code Red II
    • Nimda
  • To date, worms haven’t been nearly as nasty as they could be
  • Most damage is a result of worm resource consumption
  • New generations of worms arrive every 2 to 6 months

© 2002, Ed Skoudis and Predictive Systems

coming soon super worms
Coming Soon - Super Worms
  • 2002 could be even wormier
  • Be on the lookout for very nasty new worms
    • Multi-functional
      • Spread, steal, erase, etc.
    • Multi-platform
      • Win, Linux, Solaris, BSD, AIX, HP-UX…
    • Multi-exploit
      • Many buffer overflows, etc.
    • Zero-Day exploits
      • Just discovered; no patch available
    • Polymorphic
    • Metamorphic
  • We’ve seen many of these pieces, but no one has rolled them all together… yet!

© 2002, Ed Skoudis and Predictive Systems

worm defenses
Worm Defenses
  • Buffer overflow defenses help a lot here
  • Rapidly deploy patches
  • Anti-virus solutions
    • At the desktop…
    • …AND at the mail server
    • …AND at the file server
  • Incident response capabilities, linked with network management

© 2002, Ed Skoudis and Predictive Systems

key points35
Key Points
  • General Trends
  • War Driving
  • Polymorphic Buffer Overflow
  • Hidden Backdoors
  • Super Worms
  • Conclusions

© 2002, Ed Skoudis and Predictive Systems

conclusions
Conclusions
  • The attack tools continue to get better
  • Attackers are getting stealthier every day
  • But don't fret… we can work diligently to keep up
  • There's no such thing as 100% security
  • Still, by preparing, we can get ready for the bigguns'

© 2002, Ed Skoudis and Predictive Systems

references keeping up
References – Keeping Up
  • The web:
    • www.securityfocus.com
    • www.searchsecurity.com
    • www.counterhack.net
  • Books:
    • Hack Counter Hack CD-ROM, Skoudis, 2002
    • Counter Hack, Skoudis, 2001
    • Hacker's Challenge, Schiffman, 2001
    • Hacking Exposed, Kurtz, et al, 2001

© 2002, Ed Skoudis and Predictive Systems

crack the hacker challenge38
"Crack the Hacker" Challenge
  • Win a key-chain USB Hard Drive!
  • http://searchwebmanagement.discussions.techtarget.com
  • Look for skoudis
  • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContext@239.9Tybafylj90^4@.ee84438/82!viewtype=threadDate&skip=&expand=

© 2002, Ed Skoudis and Predictive Systems