+ All Categories
Home > Documents > Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst -...

Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst -...

Date post: 01-Apr-2015
Category:
Upload: tony-cowdery
View: 220 times
Download: 1 times
Share this document with a friend
Popular Tags:
16
Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView
Transcript
Page 1: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Covering Your Tracks:Ncrypt and Ncovert

Simple Nomad

Hacker – NMRC

Sr. Security Analyst - BindView

Simple Nomad

Hacker – NMRC

Sr. Security Analyst - BindView

Page 2: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Stealth and Covert CommunicationsStealth and Covert Communications

•What is it

•Why use it

•Examples in existence–File encryptors/decryptors (GPG, etc)–File system encryption (CFS, NTFS encryption, etc)–Steganography (Outguess, etc)–Covert network (Loki2, etc)

•What is it

•Why use it

•Examples in existence–File encryptors/decryptors (GPG, etc)–File system encryption (CFS, NTFS encryption, etc)–Steganography (Outguess, etc)–Covert network (Loki2, etc)

Page 3: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Goals for ProjectGoals for Project

•Defeat network and workstation forensics

•Simple and clean install/compile (no extra libraries)

•Leverage existing technology

•Defeat network and workstation forensics

•Simple and clean install/compile (no extra libraries)

•Leverage existing technology

Page 4: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncovert – OverviewNcovert – Overview

•Freeware

•No extra libraries required, uses standard C

•Uses Initial Sequence Number (ISN) as the data field

•Anonymous sending

•Can bypass most firewalls

•Freeware

•No extra libraries required, uses standard C

•Uses Initial Sequence Number (ISN) as the data field

•Anonymous sending

•Can bypass most firewalls

Page 5: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncovert – How it worksNcovert – How it works

•Sender sends SYN packet with data in ISN to public server, forges source IP as receiver’s IP

•Public server receives SYN, sends SYN/ACK to receiver’s machine

•Receiver’s machine sniffs packet and gets data, the OS sends a RST to public server

•Repeated until all data is sent

•Sender sends SYN packet with data in ISN to public server, forges source IP as receiver’s IP

•Public server receives SYN, sends SYN/ACK to receiver’s machine

•Receiver’s machine sniffs packet and gets data, the OS sends a RST to public server

•Repeated until all data is sent

Page 6: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncovert – Pros and ConsNcovert – Pros and Cons

•Pro–Anonymous sending– If sniffing in path to forged source IP, anonymous receiving

–Careful planning can bypass most firewall rules

•Con–Slow, as reliable as UDP–Plaintext transmission, must encrypt data first (use Ncrypt)

–Needs multiple “triggers”

•Pro–Anonymous sending– If sniffing in path to forged source IP, anonymous receiving

–Careful planning can bypass most firewall rules

•Con–Slow, as reliable as UDP–Plaintext transmission, must encrypt data first (use Ncrypt)

–Needs multiple “triggers”

Page 7: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncovert – Live DemoNcovert – Live Demo

Page 8: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncrypt – OverviewNcrypt – Overview

• Freeware

• No extra libraries required, uses standard C

• Symmetric file encryption/decryption

• Choice of three encryption algorithms

• Optional wiping of files, with wiping also getting file slack

• Choice of two wiping techniques

• Additional secure coding

• Freeware

• No extra libraries required, uses standard C

• Symmetric file encryption/decryption

• Choice of three encryption algorithms

• Optional wiping of files, with wiping also getting file slack

• Choice of two wiping techniques

• Additional secure coding

Page 9: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncrypt – Crypto UsedNcrypt – Crypto Used

•Encryption algorithms–Rijndael (AES)–Serpent–Twofish

•SHA-1 hashing of passphrase

•Random data stream generation - ISAAC

•Encryption algorithms–Rijndael (AES)–Serpent–Twofish

•SHA-1 hashing of passphrase

•Random data stream generation - ISAAC

Page 10: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncrypt – Wipe FuNcrypt – Wipe Fu

•Peter Gutmann’s 1996 defacto standard from “Secure Deletion of Data from Magnetic and Solid-State Memory”

•4 passes of random data, 27 passes of specific bit patterns, 4 more passes of random data, 35 passes total

•Anti-forensics aimed for defeating TLAs

•Probably overkill by today’s standards for disk drives

•Peter Gutmann’s 1996 defacto standard from “Secure Deletion of Data from Magnetic and Solid-State Memory”

•4 passes of random data, 27 passes of specific bit patterns, 4 more passes of random data, 35 passes total

•Anti-forensics aimed for defeating TLAs

•Probably overkill by today’s standards for disk drives

Page 11: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncrypt – Wipe FuNcrypt – Wipe Fu

•NSA-developed National Industrial Security Program Operating Manual (NISPOM) aka DoD 5220.22-M; subsection 8-306

•A pass of a character, a pass with that character’s bits flipped, and a verified pass with random data, 3 passes total

•There is no “wipe 7 times” U.S. Government standard to be found

•Not for TOP SECRET, which is significant in itself

•NSA-developed National Industrial Security Program Operating Manual (NISPOM) aka DoD 5220.22-M; subsection 8-306

•A pass of a character, a pass with that character’s bits flipped, and a verified pass with random data, 3 passes total

•There is no “wipe 7 times” U.S. Government standard to be found

•Not for TOP SECRET, which is significant in itself

Page 12: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncrypt – Secure CodingNcrypt – Secure Coding

•Plaintext passphrase wiped from memory after converted to a SHA-1 hash

•SHA-1 hash wiped from memory after crypto key is made

• If root, memory locked from paging

•Plaintext passphrase wiped from memory after converted to a SHA-1 hash

•SHA-1 hash wiped from memory after crypto key is made

• If root, memory locked from paging

Page 13: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncrypt – Target UsersNcrypt – Target Users

•Non-root users e.g. shell account on an ISP

•Human rights worker

•Security professional

•Privacy advocate

•Black hat

•Non-root users e.g. shell account on an ISP

•Human rights worker

•Security professional

•Privacy advocate

•Black hat

Page 14: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Ncrypt – Live DemoNcrypt – Live Demo

Page 15: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

ResourcesResources

•Ncrypt - http://ncrypt.sourceforge.net/

•Ncovert - http://www.nmrc.org/~thegnome/ncovert-1.1.tgz

•National Industrial Security Program Operating Manual (DoD 5220.22-M), Dept. of Defense, 1995 – http://www.dss.mil/isec/nispom_195.htm

•“Secure Deletion of Data from Magnetic and Solid-State Memory” , Peter Gutmann, 1996 – http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

•Ncrypt - http://ncrypt.sourceforge.net/

•Ncovert - http://www.nmrc.org/~thegnome/ncovert-1.1.tgz

•National Industrial Security Program Operating Manual (DoD 5220.22-M), Dept. of Defense, 1995 – http://www.dss.mil/isec/nispom_195.htm

•“Secure Deletion of Data from Magnetic and Solid-State Memory” , Peter Gutmann, 1996 – http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Page 16: Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

QuestionsQuestions

•Updated presentation – http://www.nmrc.org/~thegnome/bh2003.ppt

[email protected]

[email protected]

•Updated presentation – http://www.nmrc.org/~thegnome/bh2003.ppt

[email protected]

[email protected]


Recommended