the new breed of hacker tools techniques l.
Skip this Video
Loading SlideShow in 5 Seconds..
The New Breed of Hacker Tools & Techniques PowerPoint Presentation
Download Presentation
The New Breed of Hacker Tools & Techniques

Loading in 2 Seconds...

  share
play fullscreen
1 / 38
Download Presentation

The New Breed of Hacker Tools & Techniques - PowerPoint PPT Presentation

emily
372 Views
Download Presentation

The New Breed of Hacker Tools & Techniques

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems ed.skoudis@predictive.com

  2. "Crack the Hacker" Challenge • Win a key-chain USB Hard Drive! • http://searchwebmanagement.discussions.techtarget.com • Look for skoudis • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContext@239.9Tybafylj90^4@.ee84438/82!viewtype=threadDate&skip=&expand= © 2002, Ed Skoudis and Predictive Systems

  3. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  4. General Trends • The rise of anti-disclosure • Full-disclosure has its problems—tell everyone everything • Anti-disclosure has a whole new set of problems • Famous Microsoft letter on Information Anarchy • Driving some things under ground • Kiddies don't have everything… • …but what is lurking out there? • Hacktivism • In times of war, attackers can make a political point • Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem) • A focus on tools getting more stealthy • Hiding has tremendous benefits for an attacker © 2002, Ed Skoudis and Predictive Systems

  5. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  6. Wireless Attacks • Wireless technology is getting much cheaper • Base stations for less than $200, with wireless cards under $100 • IEEE 802.11b standard very popular • Employees setting up their own access points so they can roam around the halls • Very dangerous! • War driving • With a laptop and wireless card, an attacker can drive down the street and join many wireless LANs! © 2002, Ed Skoudis and Predictive Systems

  7. Wireless Misconfigurations • Many wireless access points (a.k.a. base stations) are configured with no security • In some installations, users think SSIDs are passwords • They are not! • Blank or default SSIDs are common • Access points often respond to broadcast requests asking for the SSID • SSIDs are sent in clear text and can be sniffed © 2002, Ed Skoudis and Predictive Systems

  8. NetStumbler - Premier Tool for War Driving • NetStumbler, by Marius Milner • http://www.netstumbler.com • Windows-based (95, 98, ME, 2000, XP) • And PocketPC (Mini Stumbler)… but not NT © 2002, Ed Skoudis and Predictive Systems

  9. Other Tools For War Driving • Wi-scan (Perl script) • http://www.dis.org/wl/ • Ties in geography (using GPS) with SSID • Airsnort • http://airsnort.sourceforge.net/ • Cracks WEP keys • Runs on Linux, requires Prism2 chipset (Linksys), and needs ~500 Meg of data • Airopeek • www.wildpackets.com/products/airopeek • Commercial © 2002, Ed Skoudis and Predictive Systems

  10. War Driving Defenses • Set SSID to difficult-to-guess value • Can still be broadcasted, sniffed, or brute forced • Not at all effective!! • MAC address filtering at access point • Wireless card MAC addresses can be spoofed • Dsniff supports this • Set WEP keys, and rotate them periodically • Remember, WEP can be cracked • Best Defense - Use Virtual Private Network • All data from end system through wireless device to VPN gateway encrypted and authenticated • Establish policy for these items • Check out www.counterhack.net for examples © 2002, Ed Skoudis and Predictive Systems

  11. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  12. What is a Buffer Overflow? • Seminal paper on this technique by Aleph One titled “Smashing the Stack for Fun and Profit” • Allows an attacker to execute arbitrary commands on your machine • Take over system or escalate privileges • Get root or admin privileges • Based on putting too much information into undersized receptacles • Caused by not having proper bounds checking in software © 2002, Ed Skoudis and Predictive Systems

  13. A Normal Stack Bottom of Memory . . . • Programs call their subroutines, allocating memory space for function variables on the stack • The stack is like a scratchpad for storing little items to remember • The stack is LIFO • The return pointer (RP) contains the address of the original function, so execution can return there when function call is done Fill Direction Buffer 2 (Local Variable 2) Buffer 1 (Local Variable 1) Return Pointer Function Call Arguments . . . Top of Memory Normal Stack © 2002, Ed Skoudis and Predictive Systems

  14. Smashing The Stack Bottom of Memory • User data is written into the allocated buffer by the function • If the data size is not checked, return pointer can be overwritten by user data • Attacker places exploit machine code in the buffer and overwrites the return pointer • When function returns, attacker’s code is executed . . . Fill Direction Buffer 2 (Local Variable 2) Machine Code: execve(/bin/sh) Buffer 1 Space is overwritten Return Pointer is overwritten New Pointer to exec code Function Call Arguments . . . Top of Memory Smashed Stack © 2002, Ed Skoudis and Predictive Systems

  15. Improving the Odds that the Return Pointer Will be OK • Include NOPs in advance of the executable code • Then, if your pointer goes to the NOPs, nothing will happen • Execution will continue down the stack until it gets to your exploit • NOPs can be used to detect these exploits on the network • Many ways to do a NOP NOP NOP NOP NOP NOP Machine Code: execve(/bin/sh) Buffer 1 Space is overwritten Return Pointer is overwritten New Pointer to exec code Function Call Arguments . . . Top of Memory Smashed Stack © 2002, Ed Skoudis and Predictive Systems

  16. Polymorphic Buffer Overflow • In April, 2001, ADMutate released by K2 • http://www.ktwo.ca/security.html • ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit • Using techniques borrowed from virus writers • Works on Intel, Sparc, and HPPA processors • Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD © 2002, Ed Skoudis and Predictive Systems

  17. How ADMutate Works • We want functionally equivalent code, but with a different appearance • "How are you?" vs. "How ya doin'?" vs. "What's up?" • Exploit consists of 3 elements • NOPs • Exec a shell code • Return address NOP NOP NOP NOP NOP Machine Code: execve(/bin/sh) Pointer to exec stack code © 2002, Ed Skoudis and Predictive Systems

  18. Mutation Engine • ADMutate alters each of these elements • NOP substitution with operationally inert commands • Shell code encoded by XORing with a randomly generated key • Return address modulated – least significant byte altered to jump into different parts of NOPs NOP substitute Another NOP Yet another NOP A different NOP Here's a NOP XOR'ed Machine Code: execve(/bin/sh) Modulated Pointer to NOP Substitutes © 2002, Ed Skoudis and Predictive Systems

  19. What About Decoding? • That’s nice, but how do you decode the XOR'ed shell code? • You can't just run it, because it is gibberish until it's decoded • So, add some commands that will decode it • Can’t the decoder be detected by IDS? • The decoder is created using random elements • Several different components of decoder (e.g., 1,2,3,4,5,6,7) • Various decoder components can be interchanged (e.g., 2-3 or 3-2) • Each component can be made up of different machine language commands • The decoder itself is polymorphic NOP substitute Another NOP Yet another NOP A different NOP Here's a NOP Polymorphic XOR Decoder XOR'ed Machine Code: execve(/bin/sh) Modulated Pointer to NOP Substitutes © 2002, Ed Skoudis and Predictive Systems

  20. ADMutate – Customizability! • New version allows attacker to apply different weights to generated ASCII equivalents of machine language code • Allows attacker to tweak the statistical distribution of resulting characters • Makes traffic look more like “standard” for a given protocol, from a statistical perspective • Example: more heavily weight characters "<" and ">" in HTTP • Narrows the universe of equivalent polymorphs, but still very powerful! © 2002, Ed Skoudis and Predictive Systems

  21. ADMutate Defenses • Defend against buffer overflows • Apply patches – defined process • Non-executable system stacks • Solaris – OS Setting • Linux – www.openwall.com • NT/2000 – SecureStack from www.securewave.com • Code Review – educate developers • Detection: IDS vendors at work on this capability now • Snort release in Feb 2002 • Looks for variations of NOP sled © 2002, Ed Skoudis and Predictive Systems

  22. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  23. Hidden Backdoors Backdoor listens on port ABC • Attacker takes over your system and installs a backdoor to ensure future access • Backdoor listens, giving shell access • How do you find a backdoor listener? • Sometimes, they are discovered by noticing a listening port • Nmap port scan across the network • Running "netstat –na" locally • Running lsof (UNIX) or Inzider (Windows) Network © 2002, Ed Skoudis and Predictive Systems

  24. Sniffing Backdoors • Who says a backdoor has to wait listening on a port? • Attackers don't want to get caught • They are increasingly using stealthy backdoors • A sniffer can gather the traffic, rather than listening on an open port • Non-promiscuous sniffing backdoors • Grab traffic just for one host • Promiscuous sniffing backdoors • Grab all traffic on the LAN © 2002, Ed Skoudis and Predictive Systems

  25. Non-Promiscuous Backdoor – Cd00r • Written by FX • http://www.phenoelit.de/stuff/cd00r.c • Includes a non-promiscuous sniffer • Gathers only packets destined for the single target machine • Several packets directed to specific ports (where there is no listener) will trigger the backdoor • Sniffer grabs packets, not a listener on the ports • Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports © 2002, Ed Skoudis and Predictive Systems

  26. Non-Promiscuous Backdoor – Cd00r in Action Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z • The idea has been extended to eliminate even port 5002 • Netcat can push back a command shell from server, so no listener ever required • Connection goes from server back to client Server SYN to port X SYN to port Y SYN to port Z After Z is received, activate temporary listener on port 5002 Connection to root shell on port 5002 © 2002, Ed Skoudis and Predictive Systems

  27. Promiscuous Backdoor • Can be used to help throw off an investigation • Attacker sends data for destination on same network • But the backdoor isn't located at the destination of the backdoor traffic • Huh? How does that work? © 2002, Ed Skoudis and Predictive Systems

  28. Promiscuous Backdoor in Action Firewall WWW DNS Sniffer listens for traffic destined for WWW server • Backdoor is located on DNS server • All packets sent to WWW server • DNS server backdoor sniffs promiscuously • In switched environment, attacker may use ARP cache poisoning • Confusing for investigators Internet © 2002, Ed Skoudis and Predictive Systems

  29. Sniffing Backdoor Defenses • Prevent attacker from getting on system in the first place (of course) • Know which processes are supposed to be running on the system • Especially if they have root privileges! • Not easy, but very important • Beware of stealthy names (like "UPS" or "SCSI") • Look for anomalous traffic • Look for sniffers © 2002, Ed Skoudis and Predictive Systems

  30. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  31. Here Come the Worms! • Compromising systems one-by-one can be such a chore • Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses • Worms automate the process • Take over systems • Scan for new vulnerable systems • Self-replicate by moving across the network to another vulnerable system • Each instance of a worm is a “segment” © 2002, Ed Skoudis and Predictive Systems

  32. 2001: Year of the Worm? • In 2001, we saw: • Ramen • L10n • Cheese • Sadmind/IIS • Code Red and Code Red II • Nimda • To date, worms haven’t been nearly as nasty as they could be • Most damage is a result of worm resource consumption • New generations of worms arrive every 2 to 6 months © 2002, Ed Skoudis and Predictive Systems

  33. Coming Soon - Super Worms • 2002 could be even wormier • Be on the lookout for very nasty new worms • Multi-functional • Spread, steal, erase, etc. • Multi-platform • Win, Linux, Solaris, BSD, AIX, HP-UX… • Multi-exploit • Many buffer overflows, etc. • Zero-Day exploits • Just discovered; no patch available • Polymorphic • Metamorphic • We’ve seen many of these pieces, but no one has rolled them all together… yet! © 2002, Ed Skoudis and Predictive Systems

  34. Worm Defenses • Buffer overflow defenses help a lot here • Rapidly deploy patches • Anti-virus solutions • At the desktop… • …AND at the mail server • …AND at the file server • Incident response capabilities, linked with network management © 2002, Ed Skoudis and Predictive Systems

  35. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  36. Conclusions • The attack tools continue to get better • Attackers are getting stealthier every day • But don't fret… we can work diligently to keep up • There's no such thing as 100% security • Still, by preparing, we can get ready for the bigguns' © 2002, Ed Skoudis and Predictive Systems

  37. References – Keeping Up • The web: • www.securityfocus.com • www.searchsecurity.com • www.counterhack.net • Books: • Hack Counter Hack CD-ROM, Skoudis, 2002 • Counter Hack, Skoudis, 2001 • Hacker's Challenge, Schiffman, 2001 • Hacking Exposed, Kurtz, et al, 2001 © 2002, Ed Skoudis and Predictive Systems

  38. "Crack the Hacker" Challenge • Win a key-chain USB Hard Drive! • http://searchwebmanagement.discussions.techtarget.com • Look for skoudis • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContext@239.9Tybafylj90^4@.ee84438/82!viewtype=threadDate&skip=&expand= © 2002, Ed Skoudis and Predictive Systems