Investigating Hackers' Tools

INVESTIGATING HACKERS’ TOOLSINVESTIGATING HACKERS’ TOOLSINVESTIGATING HACKERS’ TOOLSINVESTIGATING HACKERS’ TOOLS

A A A A SEMINARSEMINARSEMINARSEMINAR

INVESTIGATING HACKERS’ TOOLSINVESTIGATING HACKERS’ TOOLSINVESTIGATING HACKERS’ TOOLSINVESTIGATING HACKERS’ TOOLS


ISRAEL ISRAEL UMANA UMANA M.TechM.Tech –– Information Security and Cyber ForensicInformation Security and Cyber Forensic

SRM University, ChennaiSRM University, ChennaiIndiaIndia


BYBYBYBY


BYBYBYBY

AcknowledgmentsAcknowledgmentsAcknowledgmentsAcknowledgmentsMaterial is sourced from:INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Authors: CHRIS PROSISE

Israel Umana - Investigating Hackers' tools2

Authors: CHRIS PROSISEKEVIN MANDIA

Publisher:McGraw-Hill/OsborneNew York Chicago San FranciscoLisbon London Madrid Mexico City MilanNew Delhi San Juan Seoul Singapore Sydney Toronto

THE GOALS OF TOOL ANALYSISTHE GOALS OF TOOL ANALYSISTHE GOALS OF TOOL ANALYSISTHE GOALS OF TOOL ANALYSIS� Prevent similar attacks in the future

� Assess an attacker’s skill or threat level

� Determine the extent of a compromise

� Determine if any damage was done

Determine the number and type of intruders

3

� Determine the number and type of intruders

� Prepare yourself for a successful subject interview if you catch the attacker

� Determine the attacker’s objectives and goals (specific targeting versus target of opportunity)

Israel Umana - Investigating Hackers' tools

HOW FILES ARE COMPILEDHOW FILES ARE COMPILEDHOW FILES ARE COMPILEDHOW FILES ARE COMPILED� Statically Linked Programs

(gcc -static zap.c -o zapstatic)

� Dynamically Linked Programs(gcc zap.c -o zap_out)

� Programs Compiled with Debug Options

4

� Programs Compiled with Debug Options(gcc -g zap.c -o zapdebug)

� Stripped Programs

� Programs Packed with UPX


Statically Statically Statically Statically vsvsvsvs Dynamically compiled Dynamically compiled Dynamically compiled Dynamically compiled

programprogramprogramprogram

5 Israel Umana - Investigating Hackers' tools

File File File File AnalysisAnalysisAnalysisAnalysis� On a Unix system, change to the directory of the suspicious

file and issue the command:

root@conan zap]# ls -al Z

� This displays the file attributes and permissions

6

-rwxr--r-- 1 root root 7423 Feb 4 02:00 Z


File Analysis (File Analysis (File Analysis (File Analysis (contdcontdcontdcontd)� root@conan zap]# file Z

This command shows the compilation method used on the file. Here is a sample output:

Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux),

7

Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux), statically inked, stripped


File Analysis (File Analysis (File Analysis (File Analysis (contdcontdcontdcontd))))� root@conan zap]# strings –a Z

This command shows if the file is compressed with UPXSample output:

--Excerpt--Linux

8

Linux$Info: This file is packed with the UPX executable packerhttp://upx.sf.net$$$Id: UPX 1.24 Copyright (C) 1996-202 the UPX Team. All Rights Reserved. $UWVSQR


File Analysis (File Analysis (File Analysis (File Analysis (contdcontdcontdcontd))))

� The following command decompresses (unpacks) the suspect file and stores the output in the file named foo.

root@conan zap]# upx –d Z –o foo

Output

9

OutputUltimate Packer for executablesCopyright © 1996, 1996, 1998, 1999, 2000, 2001, 2002UPX 1.24 Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002File size Ratio Format Name--------------------- -------- ---------- ---------13160 <- 7423 56.40% linux/386 foo


File Analysis (File Analysis (File Analysis (File Analysis (contdcontdcontdcontd))))� We can now run the following commands again:

- file Z - strings -a foo


STATIC ANALYSIS OF A HACKER TOOLSTATIC ANALYSIS OF A HACKER TOOLSTATIC ANALYSIS OF A HACKER TOOLSTATIC ANALYSIS OF A HACKER TOOLStatic analysis is tool analysis performed without actually executing the

rogue code.

It involves the following steps:1. Determine the type of file

11

1. Determine the type of file

2. Review the ASCII and Unicode strings

3. Perform online research

4. Perform source code review


Determining the Type of FileDetermining the Type of FileDetermining the Type of FileDetermining the Type of FileCommon file types include:

� Windows 95/98/NT/2000/XP executable or dynamically linked library (DLL)

� Linux a.out/elf/script

� Solaris a.out/elf/script

12

� Solaris a.out/elf/script

� DOS 32-bit COFF

� DOS 16-bit .com file

� DOS 16-bit executable

� Atari ST/TT


Using the Unix File CommandUsing the Unix File CommandUsing the Unix File CommandUsing the Unix File Command

� The standard command for determining a file type on Unix systems is file.

[root@conan zap] file *


Using the Windows Using the Windows Using the Windows Using the Windows ExetypeExetypeExetypeExetype CommandCommandCommandCommand

� The Windows equivalent of the file command is the NT Resource Kit tool exetype.

� It recognizes fewer file types than the file command


Reviewing the ASCII and Unicode Reviewing the ASCII and Unicode Reviewing the ASCII and Unicode Reviewing the ASCII and Unicode

StringsStringsStringsStrings

� Basic static analysis of object code involves examining the ASCII-formatted strings of the binary file.

� The strings command has the following syntax:

strings -a filename

15

This command line will display all ASCII strings contained in the object code that are four characters or longer.


Hex editorsHex editorsHex editorsHex editorsWhen all analysis fails, the hex editor is our friend. However, when performing static tool analysis, the hex editor is only slightly better than the strings command. It allows you to see Unicode and ASCII strings within a file at the same time.


Performing Online ResearchPerforming Online ResearchPerforming Online ResearchPerforming Online Research� Perform online research to determine if the tool is publicly

available on computer security or hacker sites. Compare any online tools identified with the tool you are analyzing.

� If the tool is not publicly available, then you will need to decompile the file to analyse its functions.

17

decompile the file to analyse its functions.


Performing Source Code ReviewPerforming Source Code ReviewPerforming Source Code ReviewPerforming Source Code Review� With the source code available to you for review, you will be

capable of determining exactly what a rogue program does.

� Performing source code review requires working knowledge of the programming language used to create the tool. Most popular exploits and tools are found in ANSIC and Microsoft

18

popular exploits and tools are found in ANSIC and Microsoft Visual Basic scripting, so you should become familiar with these formats.


DYNAMIC ANALYSIS OF A HACKER DYNAMIC ANALYSIS OF A HACKER DYNAMIC ANALYSIS OF A HACKER DYNAMIC ANALYSIS OF A HACKER

TOOLTOOLTOOLTOOL� In Dynamic analysis, you execute rogue code and interpret its

interaction with the host operating system.

� This can be dangerous on your forensic workstation.

� Our methodology includes the following tasks:

19

� Our methodology includes the following tasks:

� Monitor the time/date stamps to determine what files a tool affects.

� Run the program to intercept its system calls.

� Perform network monitoring to determine if any network traffic is generated.

� Monitor how Windows-based executables interact with the Registry.


Creating the Sandbox EnvironmentCreating the Sandbox EnvironmentCreating the Sandbox EnvironmentCreating the Sandbox Environment� Get the operating system and architecture necessary to

execute the object code properly.

� Install VMware on your test system

� Turn on the Nonpersistent write option in configuration settings

20

settings

� Make sure that the test system is not connected to the Internet.

� execute rogue code on a closed network


Dynamic Analysis on a Unix SystemDynamic Analysis on a Unix SystemDynamic Analysis on a Unix SystemDynamic Analysis on a Unix System� Most applications execute in a memory area defined as user

space

� prohibited from accessing computer hardware and resources directly

� User applications access these resources by requesting the

21

� User applications access these resources by requesting the kernel to perform the operations on its behalf

� The user application makes these requests to the kernel via system calls.


Using Using Using Using StraceStraceStraceStrace� Unix has a tool that traces the use of system calls by an

executed process.� The strace command displays information about file access,

network access, memory access, and many other system calls that a file makes when it is executed.

22

� [root@conan zap]strace -o strace.out ./zapdynamic

� This command line will store the interaction between the zap program and the operating system in a file called strace.out.


Sample outputSample outputSample outputSample output� 20) fstat(1, {st_mode=S_IFCHR|0600,

st_rdev=makedev(4, 1), ...}) = 0

� 21) mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

23

0x40014000

� 22) ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0

� 23) write(1, “Error.\n”, 7) = 7

� 24) munmap(0x40014000, 4096) = 0

� 25) _exit(7) = ?


Examining Examining Examining Examining StraceStraceStraceStrace OutputOutputOutputOutputLook out for the following system calls

� The execve call.

� The brk system calls are used to allocate memory for the process.

� The mmap calls which map a portion of a file into memory.

24

� The mmap calls which map a portion of a file into memory.

� The fstat call obtains information about the file that is referenced by the file descriptor

� The close system calls are used to release a file descriptor when the process no longer needs the file or socket referenced.


Using Shortcuts with Using Shortcuts with Using Shortcuts with Using Shortcuts with StraceStraceStraceStrace� search the strace output file for open, read, write, unlink,

lstat, socket, and close system calls.

� A shortcut is to use the option -e trace=file.

� To display all interactions with a network device, use the option -e trace=network

25

option -e trace=network

� More combinations are available in the main page for strace.

� save a copy of all the data transferred with the –e write command


Conducting Analysis Beyond Conducting Analysis Beyond Conducting Analysis Beyond Conducting Analysis Beyond StraceStraceStraceStrace� The strace utility cannot do everything

� With strace, you cannot determine what the process is doing once it reads, writes, or receives values from the system calls.

� Need to resort to techniques such as debugging and

26

� Need to resort to techniques such as debugging and decompiling.

� The debugger will allow you to step through every action a program takes during its execution.


Recompile the GNU Recompile the GNU Recompile the GNU Recompile the GNU BinutilsBinutilsBinutilsBinutils PackagePackagePackagePackage

� The binutils package is installed on most versions of Linux

� Built to recognize a small number of object file types.

� Tools in the precompiled binutils package may build, view, disassemble, and otherwise alter a handful of Linux native executable files

27

executable files

� Recompile of the package with ./configure –enable-targets=all


Dynamic Analysis on a Windows Dynamic Analysis on a Windows Dynamic Analysis on a Windows Dynamic Analysis on a Windows

SystemSystemSystemSystem

� You execute the rogue code and use utilities to watch how the rogue process interacts with the file system, the Registry, (APIs), and the operating system.

� For dynamic tool analysis of Windows applications, we use Filemon, Regmon, ListDLLs, Fport, and PsList.

28

Filemon, Regmon, ListDLLs, Fport, and PsList.

� Filemon, Regmon, ListDLLs, and PsList can be gotten at: http://www.sysinternals.com


Using Using Using Using FilemonFilemonFilemonFilemon� The Filemon utility (from the Sysinternals web site) provides

a wiretap between running processes and the file system.

� It intercepts all access and queries a process makes to the file system.

� You can determine all of the files the program reads, writes

29

� You can determine all of the files the program reads, writes to, and accesses to perform its unknown activity.



Using Using Using Using RegmonRegmonRegmonRegmon� Regmon taps a process’s interaction with the Windows

Registry.� Some programs query, enumerate, and close more than 950

Registry keys upon execution.� Regmon allows you to enter filters to focus your analysis on

relevant entries.

31

Regmon allows you to enter filters to focus your analysis on relevant entries.

� It provides immediate access to the Registry Editor (regedit).� Provides a simple interface to monitor which programs write

startup entries in the Registry and which programs query the network hardware in order to generate or receive network traffic.



Using Using Using Using ListDLLsListDLLsListDLLsListDLLs� ListDLLs is available in the NT/2000 Resource Kit� Shows all of the DLLs needed by a process.� It enumerates the full pathnames of the DLLs loaded by the

process.� ListDLLs is helpful for detecting applications that have been

33

� ListDLLs is helpful for detecting applications that have been modified (injected) with extra functionality.

� Viewing which DLLs the program is� using may allow you to detect if the application is interacting

with the network services at an API level or if it is attempting to bypass them.

� Works on programs that are currently running


Using Using Using Using FportFportFportFport and and and and PsListPsListPsListPsList� Fport and PsList are critical tools for dynamic analysis on a

Windows system.

� Fport should be used prior to and after executing a rogue process to determine if the rogue process opened any network sockets.

34

network sockets.

� PsList is useful to determine if a process changes its process name after execution.




Conducting Further Analysis on Conducting Further Analysis on Conducting Further Analysis on Conducting Further Analysis on

WindowsWindowsWindowsWindows� The tools described in this chapter provide the first level of

analysis.� more comprehensive techniques are available� Decompiling and debugging are the next steps.� IDA Pro (an interactive disassembler) and SoftICE (a source-

37

� IDA Pro (an interactive disassembler) and SoftICE (a source-level debugger).

� Can be obtained at:� IDA Pro: http://www.datarescue.com� SoftICE:

http://www.compuware.com/products/devpartner/softice
