24
COEN 252 Computer Forensics Investigating Hacker Tools

Hacker Tools

Tags:

Embed Size (px)

DESCRIPTION

Tài liệu mạng

Citation preview

Page 1: Hacker Tools

COEN 252 Computer Forensics

Investigating Hacker Tools

Page 2: Hacker Tools

Program Analysis Given an executable, how do we

find out what it does? Try to find the program online.

Analyze source code to find clues. Search for the name of the program.

Perform source code review. Execute the program in a sandbox.

Some programs can break out of a sandbox / jail.

Page 3: Hacker Tools

Program Compilation Compiler

Translates HLL code to Assembly / ILL Assembler

Translates Assembly code to machine language

Linker Creates object code out of several modules. A program usually makes library calls (stdio)

Page 4: Hacker Tools

Program Compilation Statically Linked: All library code is part

of the object code Dynamically Linked: Program calls

library functions. (DLL) Stripping: Removes all human-readable

symbols from object code. Combats reverse engineering.

Packing with UPX, etc. upx.sourceforge.net Compresses source code (achieves ratios of

20% - 40%)

Page 5: Hacker Tools

Program Compilation

Static compilation needs more memory

Page 6: Hacker Tools

Program Analysis Static Analysis:

Determine the type of executable. ELF file in Unix Exe-type in Windows

Symbol Extraction: Use a program like strings to find

symbols left in object code. Names give hints on program. Will not work for stripped files.

Page 7: Hacker Tools

Static Program Analysis

Example for strings output:

Page 8: Hacker Tools

Program Analysis

Find the program online: Use the name of the file to find online

versions. Use strings to check whether this is a

similar file. Use same compiler to compile the

online version and check for similarity.

Page 9: Hacker Tools

Static Program Analysis

Investigate source code Use Reversing Tools:

Disassembler: Decodes binary machine code into a readable

assembly language text IDA-Pro ILDasm (Microsoft .Net IL disassembler)

Page 10: Hacker Tools

Static Program Analysis Investigate source code

Use Reversing Tools: Debuggers

Kernel-mode: Component that sits alongside the system’s kernel Allows for stopping and observing the entire system.

User-mode: Attach to a process. Take full control of process.

Tools: OllyDbg WinDbg (MS tool) IDA-Pro Numega-SoftIce (no longer available in isolation)

Page 11: Hacker Tools

Static Program Analysis Investigate source code

Use Reversing Tools: Decompilers

Attempt to produce a high-level language source-code-like representation from a binary.

Never completely possible because The compiler removes some information, The compiler optimizes the code.

System Monitoring Tools Filemon TCPView RegMon PortMon WinObj Process Explorer

Page 12: Hacker Tools

Static Program Analysis

Investigate source code Executable-Dumping

Dumpbin (MS) PEView PEBrowse Professional

Page 13: Hacker Tools

Program Analysis

Using disassembly:

Page 14: Hacker Tools

Program Analysis

Page 15: Hacker Tools

Static Program Analysis

Artifacts to look for: Names of functions

Especially API functions. Data strings

Names of constant strings Names of directories Identification of compiler

Page 16: Hacker Tools

Program Analysis

Page 17: Hacker Tools

Static Program Analysis Compilers generate different types of

code for the same HLL feature Function Calls:

Order in which parameters are pushed on stack. Use of certain registers to pass variables. Use of stack / registers to return a value. Division of labor between callee and caller.

This allows us to recognize the compiler with which an executable was created.

Programmers using assembly will not follow the same standards throughout the code.

Hence, we can recognize assembly writers as well.

Page 18: Hacker Tools

Dynamic Program Analysis Run the program and see what it is doing. Requires security mechanisms:

Dedicated machine. Not connected to the internet. Or: Virtual machine.

However: Code can recognize whether it is running in VMWare.

E.g. by the internal MAC addresses, …

Transport malware on a non-writable CD / DVD

Page 19: Hacker Tools

Dynamic Program Analysis Strace, systrace:

Run the programming, but keep track of the system calls that it makes with parameters.

More relevant calls (Unix): open read write Unlink lstat socket close

Strace has an option that intercepts all network related calls.

Page 20: Hacker Tools

Dynamic Program Analysis

Use fport, netstat, … to determine ports opened by the program.

On Windows systems. Use regmon Use ListDlls Use psList

to find out processes created by program.

Page 21: Hacker Tools

Dynamic Program Analysis

Intercept communication of program. Need to generate a fake network. E.g.: Static analysis reveals that the

program tries to contact www.evil.org on the IRC port.

Hence, name an additional machine on separated net www.evil.org.

Page 22: Hacker Tools

Dynamic Program Analysis

Run program on a debugger. IDA-Pro OllyDbg SoftIce

Page 23: Hacker Tools

Dynamic Program Analysis

Do a web-search for unique names.

Page 24: Hacker Tools

Program Analysis Malware writers can use antireversing

techniques. Eliminate symbolic information. Encrypt code. Code obfuscation.

Make HLL constructs difficult to understand. Antidebugger Methods:

Use the IsDebuggerPresent API to protect against user-level debuggers.

Use the NTQuerySystemInformation API to determine if a kernel debugger is attached to the system.

Set a trap flag and check whether it is still there. A debugger would “swallow” it.

Put in bogus bytes over which the code jumps. Does not work for all disassemblers.


Hacker manual

Hacker manual

Documents
Become Hacker

Become Hacker

Documents
CERTIFIED ETHICAL HACKER Ethical Hacker Certified Ethical Hacker v10: Course Description The Certified Ethical Hacker program is a trusted and respected ethical hacking training Program

CERTIFIED ETHICAL HACKER Ethical Hacker Certified Ethical Hacker v10: Course Description The Certified Ethical Hacker program is a trusted and respected ethical hacking training Program

Documents
IS317T Hacker Techniques, Tools and Incident Handling ...itt-tech.info/wp-content/uploads/2016/09/IS317T_67_Syllabus.pdf · IS317T Hacker Techniques, Tools and Incident Handling [Onsite

IS317T Hacker Techniques, Tools and Incident Handling ...itt-tech.info/wp-content/uploads/2016/09/IS317T_67_Syllabus.pdf · IS317T Hacker Techniques, Tools and Incident Handling [Onsite

Documents
Hacker Techniques, Tools, and Incident Handling - · PDF fileHacker Techniques, Tools, and Incident Handling PEARSON Custom ... 1.1 Basics of Hacking Techniques 1.3 ... 5.3.5 Web Spoofing

Hacker Techniques, Tools, and Incident Handling - · PDF fileHacker Techniques, Tools, and Incident Handling PEARSON Custom ... 1.1 Basics of Hacking Techniques 1.3 ... 5.3.5 Web Spoofing

Documents
Love Hacker

Love Hacker

Documents
Understanding Hacker Tools and Techniques: A live Demonstration

Understanding Hacker Tools and Techniques: A live Demonstration

Technology
Hacker Hunters

Hacker Hunters

Documents
Albania Hacker

Albania Hacker

Health & Medicine
Hacker Systemat

Hacker Systemat

Documents
Hacker Tools, Techniques, Exploits, and Incident Handling

Hacker Tools, Techniques, Exploits, and Incident Handling

Documents
Hacker vs tools

Hacker vs tools

Engineering
THE 2018 HACKER REPORT - Bug Bounty, Vulnerability …€¦ ·  · 2018-01-18Targets & Tools ... Hackers Love Researching Websites, ... THE 2018 HACKER REPORT 13 WHAT BEST DESCRIBES

THE 2018 HACKER REPORT - Bug Bounty, Vulnerability …€¦ ·  · 2018-01-18Targets & Tools ... Hackers Love Researching Websites, ... THE 2018 HACKER REPORT 13 WHAT BEST DESCRIBES

Documents
Hacker vs. Hacker

Hacker vs. Hacker

Internet
The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems ed.skoudis@predictive.com

The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems [email protected]

Documents
Hacker 001

Hacker 001

Documents
THE ORIGINAL HACKER filethe original hacker software libre, hacking y programa-ciÓn, en un proyecto de eugenia bahit @eugeniabahit glamp hacker y programadora extrema hacker especializada

THE ORIGINAL HACKER filethe original hacker software libre, hacking y programa-ciÓn, en un proyecto de eugenia bahit @eugeniabahit glamp hacker y programadora extrema hacker especializada

Documents
Hacker vs Tools: Which to Choose?

Hacker vs Tools: Which to Choose?

Technology
Hacker Inside2-

Hacker Inside2-

Documents
Ethical Hacker

Ethical Hacker

Documents
Analyzing 0-Day Hacker Tools

Analyzing 0-Day Hacker Tools

Documents
Hacker Perspectives - Domůledvina/DHT/tugraz/Hacker Perspectives.pdf · ACN SS 07 - Hacker Perspectives Overview Definition of a Hacker History of Hacking How to get into Scene Information

Hacker Perspectives - Domůledvina/DHT/tugraz/Hacker Perspectives.pdf · ACN SS 07 - Hacker Perspectives Overview Definition of a Hacker History of Hacking How to get into Scene Information

Documents
Hacker Ethics

Hacker Ethics

Documents
7 Growth Hacker Tools To Grow Your Business

7 Growth Hacker Tools To Grow Your Business

Business
Universidade Hacker

Universidade Hacker

Documents
Semi Hacker

Semi Hacker

Documents
Hacker Anis

Hacker Anis

Technology
Wily Hacker

Wily Hacker

Documents
Hacker organizations

Hacker organizations

News & Politics
Anti-Hacker Tool Kit Chapter 9 Password Cracking Brute-Force Tools Vicky

Anti-Hacker Tool Kit Chapter 9 Password Cracking Brute-Force Tools Vicky

Documents