Home >Documents >Covering Tracks and Hiding 1 Covering Tracks and Hiding

Covering Tracks and Hiding 1 Covering Tracks and Hiding

Date post:21-Dec-2015
View:218 times
Download:2 times
Share this document with a friend
  • Slide 1
  • Slide 2
  • Covering Tracks and Hiding 1 Covering Tracks and Hiding
  • Slide 3
  • Covering Tracks and Hiding 2 In This Chapter Hiding evidence o Altering log files o Hidden files Practical covert channels
  • Slide 4
  • Covering Tracks and Hiding 3 Intro Attacks happen o See zone-h.comzone-h.com Some attackers want attention Recently, more stealthy attacks o Silent attacks (botnets) o Attacker must hide tracks
  • Slide 5
  • Covering Tracks and Hiding 4 Altering Event Logs EEven rootkits leave traces in log files WWith admin privilege oAoAttacker could delete log files oPoProbably a bad idea AA better idea: selectively edit logs HHow?
  • Slide 6
  • Covering Tracks and Hiding 5 Logs in Windows EventLog is logging service o Files ending with.LOG o E.g., SECURITY, SYSTEM, APPLICATION This info moved to main event logs o SECEVENT.EVT, SYSEVENT.EVT, o The.EVT files read by admin using Windows Event Viewer
  • Slide 7
  • Covering Tracks and Hiding 6 Windows Event Viewer
  • Slide 8
  • Covering Tracks and Hiding 7 Windows Logs SECEVENT.EVT o Failed logins, policy changes, attempts to access files without permission, etc. SYSEVENT.EVT o E.g., details of driver failure APPEVENT.EVT o Application-related issues
  • Slide 9
  • Covering Tracks and Hiding 8 Windows Logs Altering event logs o At minimum, must change SECEVENTs EVT files locked and binary format o Cannot open/edit with usual tools With physical access o boot to Linux and edit logs o Not practical in most cases
  • Slide 10
  • Covering Tracks and Hiding 9 Windows Logs Event editing tools o None for XP (as of writing) o Do exist for NT/2000 WinZapper o Attacker can selectively edit EVT files o But, must reboot machine to restart EventLog service
  • Slide 11
  • Covering Tracks and Hiding 10 WinZapper
  • Slide 12
  • Covering Tracks and Hiding 11 UNIX Logging Log files usually in ASCII text With privilege, easy to edit Config file tells where log files located Attacker can locate files, and edit Also accounting files o utmp, wtmp, lastlog o Binary files, so harder to edit
  • Slide 13
  • Covering Tracks and Hiding 12 UNIX Logging Tools to edit accounting files o Many at www.packetstormsecurity.orgwww.packetstormsecurity.org o Simple Nomad effect on many versions o Others similar tools: wtemped, marry, cloak, logwedit, wzap, zapper Accounting file editing tool is standard part of most rootkits
  • Slide 14
  • Covering Tracks and Hiding 13 Shell History Files List of command line commands issued Attacker would like to edit this Files are in ASCII, easy to edit o Can insert lines too o Why might this be useful? Edit to shell file written to shell history o When shell is exited gracefully o How to get around this?
  • Slide 15
  • Covering Tracks and Hiding 14 Defenses Activate logging o Log according to some specified policy Periodically audit logging Allow plenty of space for logs Restrictive permissions on log files Use separate server for logging o Logs redirected to logging server o Not everything can be redirected
  • Slide 16
  • Covering Tracks and Hiding 15 Defenses Encrypt log files Make log files append-only o Little more than a speed bump Store logs on unalterable media o E.g., non-rewritable CD/DVD
  • Slide 17
  • Covering Tracks and Hiding 16 Hidden Files Why would attacker use hidden files? o Store attack tools o Save sniffed passwords, etc. What does hidden mean? o Maybe just hard to find o Or easily overlooked
  • Slide 18
  • Covering Tracks and Hiding 17 Hidden Files In UNIX, prepend . to filename Use . followed by space(s) o What the ? Other ideas?
  • Slide 19
  • Covering Tracks and Hiding 18 Hidden Files in Windows Use hidden attribute o Very lame
  • Slide 20
  • Covering Tracks and Hiding 19 Hidden Files in Windows
  • Slide 21
  • Covering Tracks and Hiding 20 Hidden Files in Windows Alternate Data Streams (ADS) o Available in NTFS o Multiple streams of data can be associated with a single file o These streams can store any info o Usual view is just one such stream o Fairly effective means of hiding files
  • Slide 22
  • Covering Tracks and Hiding 21 Defenses File integrity checking Host-based IDS In Windows, use ADS-aware tools o CrucialADS, LADS, for example
  • Slide 23
  • Covering Tracks and Hiding 22 Covert Channels Suppose attacker has o Gotten access o Installed evil code/tools o Covered their tracks, etc. Attacker still needs to communicate o How to do this without detection? Covert channel o communication path not intended as such by systems designers
  • Slide 24
  • Covering Tracks and Hiding 23 Covert Channels
  • Slide 25
  • Covering Tracks and Hiding 24 Covert Channels In networked systems o Covert channels are everywhere! When does a covert channel exist? 1. Sender and receiver have a shared resource 2. Sender able to vary property of resource that receiver can observe 3. Communication between sender and receiver can be synchronized
  • Slide 26
  • Covering Tracks and Hiding 25 Covert Channels Examples of covert channels? How to eliminate covert channels? o Easy: eliminate all communication and shared resources o DoD gave up on eliminating covert channels o Instead, try to reduce the capacity o Does this solve the problem? o Does it help?
  • Slide 27
  • Covering Tracks and Hiding 26 Tunneling Q: What is tunneling? A: One protocol carries another o E.g., SSH used to carry Telnet o E.g., TCP/CP (RFC 1149 and RFC 2549)RFC 1149RFC 2549 Tunneling used for covert channel o We look at Loki, Reverse WWW Shell
  • Slide 28
  • Covering Tracks and Hiding 27 Loki Suppose o Attacker 0wns server o Server network allows incoming ICMP (ping/traceroute) Loki pronounced low key o Provides shell access over ICMP o Better than TCP/UDP backdoors
  • Slide 29
  • Covering Tracks and Hiding 28 Loki Trudy installs Loki server on server o Lokid (low key dee) o Must run as root o Grabs incoming ICMP packets from kernel Trudy installs Loki client on her machine o Data sent to Lokid using ICMP o Under radar of most backdoor detection (Why?) o ICMP has no concept of a port
  • Slide 30
  • Covering Tracks and Hiding 29 Loki
  • Slide 31
  • Covering Tracks and Hiding 30 Loki Optionally, uses UDP port 53 o Switch between ICMP/UDP on the fly Supports encryption o Using Blowfish encryption o Diffie-Hellman key exchange Other similar tools o CCTT and MSNShell
  • Slide 32
  • Covering Tracks and Hiding 31 Reverse WWW Shell Covert channel using HTTP Reverse WWW Shell installed on machine on network o Every 60 seconds, it phones home o I.e,. contacts external master server o The reverse part: it pulls in commands o Looks like normal Web traffic
  • Slide 33
  • Covering Tracks and Hiding 32 Reverse WWW Shell
  • Slide 34
  • Covering Tracks and Hiding 33 Reverse WWW Shell Sometimes username/pwd required to access Web o If known, Reverse WWW Shell can automate Note that other protocols could be used Reverse WWW Shell idea used by some legitimate software o E.g., remote GUI access to machine o See GoToMyPC.comGoToMyPC.com
  • Slide 35
  • Covering Tracks and Hiding 34 Covert Channels and Malware Consider spyware to steal passwords How to exfiltrate passwords? o Piggyback on legitimate outbound traffic o In Windows, IE is a natural choice o HTTP/HTTPS Malware often designed as a Browser Helper Object (BHO) for IE
  • Slide 36
  • Covering Tracks and Hiding 35 Headers as Covert Channels Lots of room for covert channels o E.g., unused bits o But possible to be more clever Tools o Covert_TCP o Nushu
  • Slide 37
  • Covering Tracks and Hiding 36 IP & TCP Headers
  • Slide 38
  • Covering Tracks and Hiding 37 Covert_TCP Covert_TCP can make use of o IP identification o TCP sequence number o TCP ACK number Lots of other possible covert channels o Only 3 above used by Covert_TCP NAT or proxy will cause problems o But IP ID may still work thru NAT
  • Slide 39
  • Covering Tracks and Hiding 38 Covert_TCP IP identification o Insert one ASCII character o Read it at other end TCP sequence number o Send SYN with ASCII character as initial sequence number o Reply with RESET o Ironically, RESET acts as ACK
  • Slide 40
  • Covering Tracks and Hiding 39 Covert_TCP TCP ACK number o Most sophisticated option o Involves server (sender), client (receiver), and unwitting bounce server o Data bounces off bounce server
  • Slide 41
  • Covering Tracks and Hiding 40 Covert_TCP TCP ACK number Client send SYN packet to bounce server o Source address spoofed to clients address o ISN is one less than desired ASCII character Bounce server responds to client o Either SYN ACK or RESET o Either way, ISN incremented by 1 Server recovers ASCII character (ISN)
  • Slide 42
  • Covering Tracks and Hiding 41 Covert_TCP
  • Slide 43
  • Covering T
Popular Tags:

Click here to load reader

Reader Image
Embed Size (px)