Embed Size (px)
Citation preview
Ed Skoudis
June 6, 2003
Seminar Series
Breaking News – The Latest Computer Attacks and Defenses
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
A Quote from One of History’s Greatest Hackers
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.
—Sun Tzu, The Art of War
©2003 Ed Skoudis
Purpose
We’re not here to teach you how to hack.… However, to defend yourself, you must understand
your adversaries’ strategies and tactics We will discuss prominent recent advances in
computer attack techniques… …To gain an understanding of how to defend against
new attacks We are not endorsing these attack tools
But you have to be ready to defend against them We will also discuss a variety of useful defensive
tools… but check to make sure you have permission to use them! Talk to the system owners…
©2003 Ed Skoudis
General Trends – The Storm after the Quiet
For six months, we saw a major drop in the release of new vulnerabilities and attack tools after September 11, 2001 Shock over terrorism Fear of law enforcement and PATRIOT Act Concern about DMCA
Sept 11, 2001 March 2002 Now
Relatively quiet The gloves are off!Major new attacks and tools
©2003 Ed Skoudis
General Trends – Software Distro Site Attacks Trojaning software distribution sites
Hack into web/ftp site and alter software to include backdoor Everyone who downloads and uses the tool is impacted!
May, 2002: issri.org - IRC client compromised May 17-24, 2002: Monkey.org - Dsniff, Fragroute, and
Fragrouter hacking tools compromised July 30 – August 1, 2002: Openssh.org, OpenSSH security
tool compromised Sept 28 - Oct 6, 2002: ftp.sendmail.org, sendmail mail server
compromised Nov 11-13, 2002: tcpdump.org, tcpdump sniffer and libpcap
Some pretty big names have fallen to this attack! What to do?
Check hashes… across multiple mirrors Don’t put new software directly into production… test first!
©2003 Ed Skoudis
Tcpdump Trojan
tcpdumpinstall
package
configurescript
Attacker’sWeb Server
Victim’sSystem
Downloadand Run
servicesscript
C program
Generate, compile,
and execute
backdoor
Poll for controlcharacter, A, D, or M
On TCP port 1963
shell
If D character,run shell and shovel
input to attacker
Attacker types commands herefor execution on victim’s machine
Shovel shell across network
Admin downloadsTrojan Horse version
of tcpdump and/or libpcappackage
1
2
3 4
5
6
7
©2003 Ed Skoudis
Tcpdump Trojan Horse Details
Interesting Notes: A, D, and M for commands… where do those
characters come from? Why TCP port 1963? Similarity to sendmail Trojan and others Shoveling shell, pushing out a connection that is
really incoming command shell access More easily gets through firewalls
The sniffer itself won’t show traffic destined for the backdoor (OUCH!)
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Reconnaissance
Many Script Kiddies skip this step The best attackers do comprehensive reconnaissance Adrian Lamo claims that Google is is favorite hacking
tool Useful public information is plentiful
Admin names, addresses, phone numbers, financial info, business partners
Job requisitions Technologies in use, IP addresses, DNS servers, network
topology, open ports, etc… Portals for reconnaissance and attacks
www.allwhois.com - Registration data for over 66 countries www.samspade.org - Ping, DNS, traceroute, etc. www.attackportal.net - Misc. recon and attack tools
©2003 Ed Skoudis
Reconnaissance Defenses
Look for information leakage from your systems before the bad guys find it Conduct reconnaissance against your own
environment Use the same tools as the bad guys… but be
careful! If you use their web sites or tools for searches, they
could monitor your actions Probably best not to do this from your production
network Do it from a separate ISP
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Why Port Scanning?
TCP and UDP each have ports Servers listen on ports They act like doors - Data goes out one port and into another
port
Attacker wants to know which ports are open Let’s focus on TCP port scanning
Most common protocol on top of IP… it’s used by HTTP, telnet, FTP, and many other services
TCP uses the three-way handshake
SYN
SYN-ACK
ACK
Connection
A B
©2003 Ed Skoudis
“Normal” Port Scanning
SYN to TCP Port 1
SYN to TCP Port 2
SYN to TCP Port 3
SYN-ACK from Port 3Eureka!Port 3 is
Listening!
TARGET
Attackers send SYN packets, and watch for SYN-ACK responses to indicate a listening port
Downside for attacker: The scan can be traced back to the attacker’s machine using the source IP address
©2003 Ed Skoudis
What if Attacker Spoofs Source Address?
Not very useful, because SYN-ACK responses don’t come back to attacker
The attacker can’t figure out if the port is open or closed, so the port scan is a waste of time
Syn to TCP Port 1
Syn to TCP Port 2
Syn to TCP Port 3
SYN-ACK from Port 3
Response goesto the address the
attacker is spoofing.
RESET!!!
TARGET
©2003 Ed Skoudis
IP Identification Field Predictability…
The IP Identification field in the IP Header is used for packet fragmentation Used to group all fragments
together for packet reassembly If there are no fragments, the
IP stack assigns some value to this field
When some systems send packets, they just increment the IP ID fieldby one for each packet
Each packet gets an IP ID valuethat is one bigger than previouspacket’s value
Total Length
Frag Offset
Header Checksum
Source IP Address
Destination IP Address
Data
…..
ProtocolTTL
FlagsIdentificationIdentification
VersHlenSvc Type
IP Options (if any) Padding
©2003 Ed Skoudis
Predictable IP ID – Idle Scans in Nmap
SYN
SYN-ACK, with IP ID = X
1
2
3 Remember IP ID = X
MachineThat GetsFramed
TARGET
©2003 Ed Skoudis
IP Identification Scanning(A.K.A. “Idle” Scanning)
ANALYZE STEP 8! If IP ID of step 8 is X+2, the
port is listening. If IP ID of step 8 is X+1, the
port is closed.
Spoofed Syn to TCP Port 3
SYN-ACKfrom Port 3
TARGET
MachineThat GetsFramed
RESET, IP ID = X+16
5
4
SYN7
8SYN-ACK
©2003 Ed Skoudis
Scanning - Paketto Keiretsu
Suite of tools for doing TCP/IP tricks By Dan Kaminsky Released October 8, 2002 Available at http://www.doxpara.com/
One capability: Very rapid port scanning Separate the packet sender process from
receiver Sender transmits packets as quickly as
network will carry them Receiver sniffs responses Sender and receiver out of synch, but that’s
ok The idea could be extended…
Sndr Rcvr
Attacker
SYNsSYN-ACKs
©2003 Ed Skoudis
Port Scanning Defenses
Action item: Run netstat –na to see what’s listening (on UNIX and
Windows) Alternatively, use Fport on Windows and Lsof on UNIX
For those services you don’t need, close unused ports Disable unneeded services In Windows: Check StartProgramsAdministrative
ToolsServices In UNIX: Check /etc/rc.d/init.d and /etc/xinetd
For incident handling, realize that these scans are possible
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Gaining Access – Detailed Code Analysis Tools
Consider recent months – major holes in Apache, Internet Explorer, OpenSSL, OpenSSH, Sendmail, Snort… the list keeps growing!
We’ve seen a recent revolution in detailed vulnerability analysis tools Used to find buffer overflows, heap overflows, etc.
Think of these tools as X-Rays or microscopes to look inside executable code at a fine grained level
Look for common mistakes that let an attacker take over a system
Step through machine language code, line by line To learn more about such tools, check out the Honeynet
Project Reverse Challenge at: http://www.honeynet.org/reverse/
©2003 Ed Skoudis
Code Analysis Tools - Windows
Tool Name Comm. or Free
Summary Where to Get It
APISpy32, by Yariv Kaplan
Free On Windows systems, this tool monitors all API calls, showing the value of all variables passed along the way.
http://www.internals.com/utilities_main.htm
Heap Debugger, by Anonymous
Free On Windows systems, this tool lists all memory locations not properly released by an application.
http://www.programmersheaven.com/zone24/cat277/4136.htm
APIHooks, by EliCZ Free On Windows systems, this tool intercepts API calls, allowing an attacker to analyze or even manipulate the flow of data through a program.
http://www.anticracking.sk/EliCZ/
Feszer by Frank Swiderski
Free This Windows tool is used to analyze problems in string handling functions.
http://www.atstake.com/research/tools/index.html
©2003 Ed Skoudis
Code Analysis Tools - UNIX
Tool Name Comm. or Free
Summary Where to Get It
Sharefuzz, by Dave Aitel
Free On UNIX machines, this program can be used to find holes from local accounts on a machine.
http://freshmeat.net/projects/sharefuzz/?topic_id=43
SPIKE, by Dave Aitel
Free On UNIX machines, this tool can be used to find flaws in network protocol handling, especially in web servers and remote procedure calls.
http://www.immunitysec.com/spike.html
Electric Fence, by Bruce Perens
Free On UNIX machines, this tool can find flaws with the way the system frees memory, which could lead to security exposures.
http://perens.com/FreeSoftware/
Fenris, by Michal Zalewski
Free Multipurpose tracer, stateful analyzer and partial decompiler for UNIX
http://razor.bindview.com/tools/fenris/
©2003 Ed Skoudis
Code Analysis Tools - Both
Tool Name Comm. or
Free
Summary Where to Get It
IDA Pro, by Data Rescue
Commercial
This program is the premier code disassembler tool for both Windows and Linux. It is extremely powerful and very widely used to find security flaws.
http://www.datarescue.com
Cenzic’s Hailstorm
Commercial
This powerful tool allows for finding defects by injecting faults into software.
http://www.cenzic.com/
People used to say that closed source was more secure because attacker’s couldn’t analyze it as much
This is increasingly less true because of tools like these!
©2003 Ed Skoudis
SQL Slammer
So, how are they propagating their exploits? Increasingly, they are using worms Remember SQL Slammer? January, 2003: Fast-spreading worm on the
rampage Patch SQL Server!
Am I running it? Very hard to tell Many products use it, and Microsoft doesn’t
make it easy to detect
©2003 Ed Skoudis
SQL Slammer Impact
Took much of South Korea off of the Internet for several hours Ironically, this limited its spread By clogging links, the worm couldn’t spread as
quickly to the outside world
One Emergency 911 call center was taken off line
Over 13,000 ATM (Money Machines) offline in North America
Some airlines cancelled a few flights
©2003 Ed Skoudis
SQL Slammer Characteristics
Why did SQL Slammer cause such damage? People didn’t know they were running the
Microsoft SQL service Fast spread via small size and UDP
Only 376 bytes Attacked Microsoft SQL Service which
uses UDP
©2003 Ed Skoudis
Worm Efficiencies and TCP vs. UDP
To establish sequence numbers, TCP uses a three-way handshake to initiate a connection
UDP doesn’t…
SYN
SYN-ACK
ACK
Connection
Packet
PacketA
©2003 Ed Skoudis
UDP-based Worms
Analogy: Spreading a cold in Grand Central Station TCP: Shake everyone’s hand… UDP: Lob infected ping pong balls
Three-wayHandshake
Worm Spread via TCP Worm Spread via UDP
©2003 Ed Skoudis
Defenses Against Code Flaws & Worms
Keep your systems patched, with a well-defined process for: Learning about new patch availability Acquiring and authenticating patches Testing patches in a non-production environment Rolling patches into production
Write secure code! Education of software developers
Good book for Windows: Writing Secure Code, by Howard and Leblanc
Good stuff for UNIX: http://www.dwheeler.com/secure-programs/ by D. Wheeler
Automated software checking tools ITS4: www.cigital.com/its4/download.html RATS: www.securesoftware.com/rats.php Flawfinder: www.dwheeler.com/flawfinder/
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Trojan Horse Backdoors
Type of Trojan horse backdoor
Characteristic Analogy Example tools in this category
Application-Level Trojan Horse Backdoor
A separate application runs on the system
An attacker adds poison to your soup.
Sub7, BO2K, Tini, etc.
Traditional RootKits Critical Operating System components are replaced.
An attacker replaces your potatoes with poison ones
Lrk6, T0rnkit, etc.
Kernel-Level RootKits
Kernel is patched. An attacker replaces your tongue with a poison one.
Knark, adore, Kernel Intrusion System, rootkit.com, etc.
Traditional RootKit
Kernel
Trojan
login
Trojan
ps
Trojan
ifconfig
good
tripwire
Kernel-level RootKit
Kernel
good
login
good
ps
good
ifconfig
good
tripwire
Trojan
Kernel Module
Application-level
Kernel
Evil App
good
program
good
program
good
program
good
program
©2003 Ed Skoudis
Maintaining Access – Trojan Horse Backdoors
New even stealthier Application-Level Trojan Horse Backdoors Setiri Written by Roelof Temmingh and Haroon Meer Code shown August, 2002; no release scheduled
Standard functions Upload file, execute program, download file
Uses invisible IE browser window and OLE to communicate with browser to send data to attacker over HTTPS If personal firewall allows browser to send traffic to the
Internet, backdoor can communicate with attacker Also gets through NAT, proxies, and stateful firewalls
©2003 Ed Skoudis
Setiri Architecture
Victim
..Attacker
ConnectionBroker
(Web Serverwith
Attacker’sCGIs)
Anony-mizer
Anony-mizer
Firewall
HTTPS
HTTPS HTTPS
HTTPS
STEP 1: Attacker somehow installs Setiri on victim machine
©2003 Ed Skoudis
Kernel Level RootKits
An area that continues to get attacker’s attention is the kernel-level RootKit
By operating in the kernel, the attacker has complete control of the target machine Hidden processes Hidden files Hidden network use (sniffing and port listeners) Execution redirection
Three ways of implementing Loadable Kernel Module Patch kernel image on hard drive Alter kernel in memory on running system! Yikes!!!
©2003 Ed Skoudis
Maintaining Access Defenses
Block access to Anonymizer.com Works for base Setiri tool and relatives, but attacker
could use another anonymous proxy or connection broker
Still, it’s a pretty reasonable idea Anti-virus tools
Look for signatures in near future Browser vendors (ahem…) possibly looking at
limiting actions of invisible browser Additionally, protect your kernel!
St. Michael for Linux, by Tim Lawless, at www.sourceforge.net
Okena and Entercept for Windows and Solaris
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Covering Tracks withThe Defiler’s Toolkit
Forensics now faces… anti-forensics The Coroner’s Toolkit is very popular, along with its
descendent, TASK (www.atstake.com) The Defiler’s Toolkit attempt to confuse forensics
investigations
Targets Linux Ext2fs file system, but ideas could be extended to other platforms By anonymous, released July, 2002 Available at http://www.phrack.com/show.php
?p=59&a=6
©2003 Ed Skoudis
Defiler’s Toolkit
Data hiding Bad blocks inode points to blocks that don’t function properly Attacker associates good blocks with the bad block inode and
stores data there Carve out a segment of your hard drive and label it “bad” Drive appears smaller, but TCT won’t look in the bad blocks
Data destruction with Necrofile Undelete tools remove just the data, not the meta-data
(inodes and directory entries) Necrofile – scrubs inodes clean, based on deletion time
criteria Data destruction with Klismafile
Directory entries show deleted filenames and sizes Klismafile searches for these entries and scrubs them
©2003 Ed Skoudis
Defending Against The Defiler’s Toolkit
The Coroner’s Toolkit, as cool as it was, is a bit outdated
Turn toward a more recent descendant of TCT, TASK to get a better look at forensics data
In investigations, don’t forget to look in blocks marked bad! There could be some very useful data hidden in there
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Conclusions
Remember good ol’ Sun Tzu Attackers keep improving their capabilities and tools Don’t get discouraged We must keep up with them
Understand their techniques Deploy, maintain, and update effective defenses
Consider it an intellectual challenge… with job security Just remember… It is the Golden Age By remaining diligent, we can secure our systems!
©2003 Ed Skoudis
References – Keeping Up
The web: www.sans.org www.securityfocus.com www.counterhack.net
Test your knowledge while having fun! Monthly “Crack the Hacker” Challenge www.counterhack.net
Willie Wonka and the Chocolate Hackery (Feb, 2003) Hack to the Future (January, 2003) How the Grinch Hacked Christmas (December, 2002) Spider-Hack (November, 2002) Robin Hack, Prince of Thieves (October, 2002) The Princess Hack (September, 2002) Crackers, Admins, and Sploits... Oh My! (July, 2002) HACK WARS, Episode IV, A New Hack (June, 2002) Backdoor Shell Game Face/Off (May, 2002)
