1 / 62

Network Security

Network Security. CPSC6128 – Lecture 4 Post Exploitation. 1. Recon – Information gathering Scanning – Enumeration Vulnerability Identification Exploit Gaining access Elevating given access Application/Web level attacks Denial of Service (DOS). Network Attack Methodology.

norton
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security CPSC6128 – Lecture 4 Post Exploitation 1

  2. Recon – Information gathering Scanning – Enumeration Vulnerability Identification Exploit Gaining access Elevating given access Application/Web level attacks Denial of Service (DOS) Network Attack Methodology • Post Exploitation • Persistence - Maintaining Access • Removing Forensic Evidence • Exfiltration TODAY’S LECTURE 12

  3. Persistence, Trojans, Backdoors

  4. Persistence – Maintaining Access • Real attackers attempt to be on the compromised system for a long time • The longer the attacker has access, the more damage can be done • Some exploits only work one time

  5. Startup Service • Linux • xinetd, initd • Windows • registry startup key, windows service • OS X • cronor plist file for Launchd

  6. Trojans • Non self replicating “back door” program which runs hidden on the infected computer • Can be installed using one of the following methods • Non-trusted software download • Email Attachments • Application level exploits • Executable content on websites (Flash or ActiveX) • Trojan can be used to maintain control of the system, access password, keylog, etc.

  7. Viruses, Worms • Virus • typically attaches itself to another program to enable replication • much like a human virus. • Worm • similar to a virus but by design is self replicating • can replicate through a network without the assistance of a human. • Blended Threat • combines aspect of Trojans viruses and worms • CodeRedwas a example of a blended threat which at the same time • launched DDOS attacks • left behind trojans, and • was self replicating

  8. Trojans – What is the Objective • Typically motivated by financial gain • they look for credit card, account data, confidential documents, financial data, etc. • Make victims computer become a remote proxy • allow for the attacker to mask their tracks for additional attacks • Make the infected computer part of a BOTnet • plant the ability to launch DDOS type attacks

  9. TCP/UDP Port Typically Used by Trojans

  10. Determining which ports are listening • Windows – Start->Run->CMD • netstat –an • netstat –an |findstr <port number>

  11. Proxy Server Trojans • Starts a hidden http proxy on the victims computer • Uses the victim’s computer • as a transit point to attack yet another victim • Hides the location of the attacker

  12. NetBus Trojan • Remote control Trojan program • Allows anyone running the client (control program) • to control any machine infected with NetBus Trojan

  13. Netcat • Written by “Hobbit” • Released in March 1996 • Currently hosted at: http://netcat.sourceforge.net/ • Blindly reads and writes data to and from network connections • Often called the “Swiss Army Knife” of network tools • Runs on almost all platforms • Linux, Windows, OS X, SunOS, Solaris, etc. • Working Mode • Client mode • Listen mode

  14. Initiates a network connection from the local system to a specified remote network port StdInput is sent to the remote network port using “pipes” Works much like standard “cat” command Returned data is sent to StdOutput Messages from Netcat itself are sent to StdError Netcat Client Mode

  15. Netcat Listen Mode • It waits for a connection from the network • “-l” option puts Netcat in listen mode • Basically take it as a network server • Data received from the network is sent to StdOutput • Data received fromStdInput is sent to the network • Messages from Netcat itself are sent to StdError

  16. Important Netcat Switches • -l • Places Netcat in listen mode • -p • Specifics the source or local port that Netcat should use • -s • Source ip address • -h • Prints help • -e • Program to execute after connecting • -u • Use UDP instead of TCP • -L • Persistent listener in Windows • Keeps listening even after nc disconnects • Make use of standard IO redirection • Use “nc ( >, < or |)” • home-macpro:~ kobrien$ nc -h • [v1.10] • connect to somewhere: nc [-options] hostname port[s] [ports] ... • listen for inbound: nc -l -p port [-options] [hostname] [port]

  17. Netcat Uses • Data Transfer • Backdoors • Replay Attacks • Vulnerability Scanning • Port Scanning • Relays *** Be sure to check out “Counter Hack Reloaded” by Ed Skoudis. Has a very thorough explanation of nc.

  18. Example: Netcat Data Transfer • Send a file between two machines • Send a file from the nc listener to the nc client • Listener: nc –l –p [port] < [filename] • Client: nc [listener ip] [port] > [filename] • Send a file from the nc client to the nc listener • Listener: nc –l –p [port] > [filename] • Client: nc [listener IP] [port] < [filename]

  19. Example: Netcat Data Transferfrom Listener to Client nc listener nc client

  20. Example: Make Connection to Open Port • Better to use in place of telnet • nc is faster and it is easier to drop the connection • Some raw binary data can be accidently interpreted by telnet • nc can do UDP as well as TCP

  21. Wrappers • So how does one get a Trojan on a machine? • Typical method • “wrapping” the Trojan with another executable file which the user runs • The two programs are wrapped together into a single file • However, the user only sees the exe which was used to wrap the Trojan • The Trojan runs in the background

  22. Wrappers - Examples

  23. Network Steganographyfor Data Exfiltration

  24. Steganography Concept • In Art and science • a secret message can be hidden • no one other than the sender and receiver is aware of the message • Physical steganography • Can be dated back to ancient Greece • Stories told of tattoos on the heads of slaves • Heads can then be shaved to reveal the message

  25. Steganography Example • During WWII “microdots” • where used extensively to transmit messages. • Microdots are small dots • which covers a hidden message. KGB Microdot camera for single exposures smaller than 1mm diameter on a special colloid emulsion, size of the camera 7x12mm, the negatives were sent behind stamps and viewed through microscopes Courtesy: WestLicht Auctions

  26. Covert Channel • The “message” is hidden within the traffic of a legitimate communications channel. Normal Traffic Covert Channel Sender Hiding Process Detection Process Receiver

  27. Network Steganography • The “message” is hidden within the traffic of a legitimate communications channel secret info secret info sender receiver Stego Algorithm Channel Detection Algorithm network packet network packet secret key

  28. Common Example – Tunnel inside TCP 80 • Tunneling • Encapsulating one protocol into another protocol • Very common method for even legitimate applications • Tunnel communications over TCP 80 • Other methods include tunneling inside SSH and GRE tunneling • Tunneling maycauses problems for firewalls • Firewalls rely on restricting traffic by IPand source/destination port • Application layer firewalls dig deeper into the packets and can filter by the application itself

  29. TCP Header (review) 16 bits that can be used for a covert channel. (note: all bit combos not available as the flags have to present a valid state)

  30. covert_tcp • Some methods hide data in ‘optional’ fields of a protocol header • The preferred method is to hide data in mandatory fields • It is more effective • Network equipment can easily be programmed to reset or erase ‘optional’ fields • covert_tcp was created by Craig Rowland • http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/528/449 • Covert_tcpcan hide data in • The IP datagram’s ID Field • The Sequence number of the TCP segment • The ACK number of the TCP segment

  31. covert_tcp-- TCP ACK method • IP Identification method • Insert a single ASCII character and receive it at the other end • TCP Sequence Number method • Send SYN with ASCII character as the initial sequence number • Reply with a RST • RST actually ACKs the receipt of the hidden character • TCP ACK # • Most covert and sophisticated • Sender “bounces” the information off an unwitting intermediate party

  32. covert_tcp (TCP ACK method) • Client sends SYN packet to bounce server • Source address is spoofed to recipients address • ISN # is ASCII # -1 • Bounce server responds to receiver • Sends SYN ACK or RST • Both increment ISN by 1 and ASCII character is received

  33. covert_tcp (TCP ACK method) When using IP Iden mode (default) here is the ASCII to IDENT # encoding Letter Ascii x256 • A 65 16640 • B 66 16896 • D 68 17408 • E 69 17664 • F 70 17920 • G 71 18176 • H 72 18432 • I 73 18688 • J 74 18944 • K 75 19200 • L 76 19456 • M 77 19712 N 78 19968 O 79 20224 P 80 20480 Q 81 20736 R 82 20992 S 83 21248 T 84 21504 U 85 21760 V 86 22016 W 87 22272 X 88 22528 Y 89 22784 Z 90 23040

  34. covert_tcp– Example (sender)

  35. covert_tcp– Example (Receiver)

  36. Loki • Covert channel over ICMP • Attacker install Loki on compromised server • Requires root permissions • Grabs incoming ICMP packets from the kernel • Attacker installs Loki client on a remote machine • Data is sent to client lokid using ICMP packets • Under the radar of most detection mechanisms • since ICMP is commonly allowed, and • doesn’t have UDP/TCP ports

  37. Loki • Can use UDP 53 • to disguise as a DNS request • Can switch between UDP and ICMP on the fly • Encryption supported • Blowfish and DH key exchange • For details, see handout

  38. Reverse WWW Shell • Covert channel using HTTP • Can be installed on compromised machine • Every 60 seconds it “phones home” and contacts external server • It “pulls” in commands and sends over normal HTTP • Looks like normal web traffic • Same idea used by legitimate software • such as GoToMyPC

  39. Logging

  40. Altering Event Logs • Even rootkits may leave traces in log files • With admin privilege • Attacker could delete log files • But probably a bad idea…very obvious • A better idea • selectively edit the log files

  41. Logs in Windows • EventLog is logging server • Files ending with .LOG • SECURITY, SYSTEM, APPLICATION • This info is moved to main event logs • SECEVENT.EVT, SYSEVENT.EVT • The .EVT files read by admin using Windows Event Viewer

  42. Windows Event Viewer

  43. Windows Logs • SECEVENT.EVT • Failed logins • policy changes • attempts to access files without permission, etc. • SYSEVENT.EVT • E.g. details of driver failures • APPEVENT.EVT • Application related issues

  44. Windows Logs • Altering event logs • At a minimum must change SECEVENTs • EVT files • Are“locked” and • Are in a binary format • Cannot open/edit with usual tools • With physical access • Boot to Linux and edit logs • Not practical in most cases

  45. Windows Logs • Event editing tools • Winzapper • Attacker can selectively edit EVT files • But must reboot machine to restart EventLog service

  46. WinZapper

  47. Unix Logging • Log files usually in ASCII text • With privilege they are easy to edit • Config file tells where log files are located • Attacker can locate files and edit • Also accounting files • utmp, wtmp, lastlog • Binary files • so they are harder to edit

  48. Unix Logging • Tools to edit accounting files • Many can be found at http://packetstormsecurity.org • wtemped • Marry • Cloak • Logedit • wzap • Accounting file editing tool is standard part of most rootkits

  49. Shell History Files • List of command line, commands issues • Attacker would like to edit this • Files are in ASCII so they are easy to edit • Can insert lines • Why would this be useful? • Edit to shell file written to shell history • When shell is exited gracefully • How to get around this?

  50. Defenses • Activate logging • Log according to some specified policy • Periodically audit logging • Allow plenty of space for logs • Restrictive permissions on log files • Use separate server for logging • Logs redirected to logging server • Not everything can be redirected

More Related