SANS Threat Update - Rodrigo Rubira Branco (BSDaemon)
Download
Report
Transcript SANS Threat Update - Rodrigo Rubira Branco (BSDaemon)
Seminar Series
Breaking News – The Latest Computer
Attacks and Defenses
Ed Skoudis
June 6, 2003
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
A Quote from One of History’s Greatest Hackers
If you know the enemy and know
yourself, you need not fear the result of a
hundred battles.
If you know yourself but not the enemy,
for every victory gained you will also
suffer a defeat.
If you know neither the enemy nor
yourself, you will succumb in every
battle.
—Sun Tzu, The Art of War
©2003 Ed Skoudis
Purpose
We’re not here to teach you how to hack.…
However, to defend yourself, you must understand
your adversaries’ strategies and tactics
We will discuss prominent recent advances in
computer attack techniques…
…To gain an understanding of how to defend against
new attacks
We are not endorsing these attack tools
But you have to be ready to defend against them
We will also discuss a variety of useful defensive
tools… but check to make sure you have permission to
use them! Talk to the system owners…
©2003 Ed Skoudis
General Trends –
The Storm after the Quiet
For six months, we saw a major drop in
the release of new vulnerabilities and
attack tools after September 11, 2001
Shock over terrorism
Fear of law enforcement and PATRIOT Act
Concern about DMCA
Sept 11, 2001
Relatively quiet
©2003 Ed Skoudis
March 2002
Now
The gloves are off!
Major new attacks and tools
General Trends –
Software Distro Site Attacks
Trojaning software distribution sites
Hack into web/ftp site and alter software to include backdoor
Everyone who downloads and uses the tool is impacted!
May, 2002: issri.org - IRC client compromised
May 17-24, 2002: Monkey.org - Dsniff, Fragroute, and
Fragrouter hacking tools compromised
July 30 – August 1, 2002: Openssh.org, OpenSSH
security tool compromised
Sept 28 - Oct 6, 2002: ftp.sendmail.org, sendmail mail
server compromised
Nov 11-13, 2002: tcpdump.org, tcpdump sniffer and
libpcap
Some pretty big names have fallen to this attack!
What to do?
Check hashes… across multiple mirrors
Don’t put new software directly into production… test first!
©2003 Ed Skoudis
Tcpdump Trojan
Admin downloads
Trojan Horse version
of tcpdump and/or libpcap
package
Attacker’s
Web Server
1
3
tcpdump
install
package
2
4
Download
and Run
configure
script
services
script
C program
5
Victim’s
System
backdoor
If D character,
run shell and shovel
input to attacker
shell
©2003 Ed Skoudis
Generate,
compile,
and execute
6
Poll for control
character, A, D, or M
On TCP port 1963
Shovel shell across network
7
Attacker types
commands here
for execution on
victim’s machine
Tcpdump Trojan Horse Details
Interesting Notes:
A, D, and M for commands… where do
those characters come from?
Why TCP port 1963?
Similarity to sendmail Trojan and others
Shoveling shell, pushing out a connection
that is really incoming command shell
access
More easily gets through firewalls
The sniffer itself won’t show traffic destined
for the backdoor (OUCH!)
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Reconnaissance
Many Script Kiddies skip this step
The best attackers do comprehensive reconnaissance
Adrian Lamo claims that Google is is favorite hacking
tool
Useful public information is plentiful
Admin names, addresses, phone numbers, financial info,
business partners
Job requisitions
Technologies in use, IP addresses, DNS servers, network
topology, open ports, etc…
Portals for reconnaissance and attacks
www.allwhois.com - Registration data for over 66 countries
www.samspade.org - Ping, DNS, traceroute, etc.
www.attackportal.net - Misc. recon and attack tools
©2003 Ed Skoudis
Reconnaissance Defenses
Look for information leakage from your
systems before the bad guys find it
Conduct reconnaissance against your own
environment
Use the same tools as the bad guys… but be
careful!
If you use their web sites or tools for searches, they
could monitor your actions
Probably best not to do this from your production
network
Do it from a separate ISP
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Why Port Scanning?
TCP and UDP each have ports
Servers listen on ports
They act like doors - Data goes out one port and into another
port
Attacker wants to know which ports are open
Let’s focus on TCP port scanning
Most common protocol on top of IP… it’s used by HTTP,
telnet, FTP, and many other services
TCP uses the three-way handshake
SYN
A
SYN-ACK
ACK
Connection
©2003 Ed Skoudis
B
“Normal” Port Scanning
Attackers send SYN packets, and watch for SYNACK responses to indicate a listening port
SYN to TCP Port 1
SYN to TCP Port 2
TARGET
SYN to TCP Port 3
Eureka!
Port 3 is
Listening!
SYN-ACK from Port 3
Downside for attacker: The scan can be traced back
to the attacker’s machine using the source IP address
©2003 Ed Skoudis
What if Attacker
Spoofs Source Address?
Syn to TCP Port 1
Syn to TCP Port 2
TARGET
Syn to TCP Port 3
SYN-ACK from Port 3
RESET!!!
Response goes
to the address the
attacker is spoofing.
Not very useful, because SYN-ACK responses don’t
come back to attacker
The attacker can’t figure out if the port is open or
closed, so the port scan is a waste of time
©2003 Ed Skoudis
IP Identification Field Predictability…
The IP Identification field in the IP Header is used for
packet fragmentation
Used to group all fragments
together for packet reassembly
If there are no fragments, the
IP stack assigns some value to
VersHlen Svc Type Total Length
this field
Identification Flags Frag Offset
When some systems send packets, TTL Protocol Header Checksum
they just increment the IP ID field
Source IP Address
by one for each packet
Destination IP Address
Each packet gets an IP ID value
IP Options (if any)
Padding
that is one bigger than previous
Data
packet’s value
…..
©2003 Ed Skoudis
Predictable IP ID – Idle Scans in Nmap
3
Remember IP ID = X
TARGET
2
SYN-ACK, with IP ID = X
1
SYN
Machine
That Gets
Framed
©2003 Ed Skoudis
IP Identification Scanning
(A.K.A. “Idle” Scanning)
Spoofed Syn to TCP Port 3
TARGET
4
7
SYN
5
SYN-ACK
from Port 3
6
RESET, IP ID = X+1
8
ANALYZE STEP 8! SYN-ACK
If IP ID of step 8 is X+2, the
port is listening.
If IP ID of step 8 is X+1, the
port
is closed.
©2003
Ed Skoudis
Machine
That Gets
Framed
Scanning - Paketto Keiretsu
Suite of tools for doing TCP/IP tricks
By Dan Kaminsky
Released October 8, 2002
Available at http://www.doxpara.com/
One capability: Very rapid port
scanning
Separate the packet sender process
from receiver
Sender transmits packets as quickly as
network will carry them
Receiver sniffs responses
Sender and receiver out of synch, but
that’s ok
The idea could be extended…
©2003 Ed Skoudis
Attacker
Sndr
Rcvr
SYNSYNs
ACKs
Port Scanning Defenses
Action item:
Run netstat –na to see what’s listening (on UNIX
and Windows)
Alternatively, use Fport on Windows and Lsof on
UNIX
For those services you don’t need, close
unused ports
Disable unneeded services
In Windows: Check
StartProgramsAdministrative ToolsServices
In UNIX: Check /etc/rc.d/init.d and /etc/xinetd
For incident handling, realize that these scans
are possible
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Gaining Access – Detailed Code Analysis Tools
Consider recent months – major holes in Apache,
Internet Explorer, OpenSSL, OpenSSH, Sendmail,
Snort… the list keeps growing!
We’ve seen a recent revolution in detailed vulnerability
analysis tools
Used to find buffer overflows, heap overflows, etc.
Think of these tools as X-Rays or microscopes to look
inside executable code at a fine grained level
Look for common mistakes that let an attacker take
over a system
Step through machine language code, line by line
To learn more about such tools, check out the
Honeynet Project Reverse Challenge at:
http://www.honeynet.org/reverse/
©2003 Ed Skoudis
Code Analysis Tools - Windows
Tool Name
Comm. or
Free
APISpy32, by Yariv
Kaplan
Free
Summary
On Windows systems, this tool
monitors all API calls, showing
the value of all variables passed
along the way.
Where to Get It
http://www.internals.c
om/utilities_main.htm
Heap Debugger, by Free
Anonymous
On Windows systems, this tool http://www.programm
lists all memory locations not ersheaven.com/zone
properly
released
by
an 24/cat277/4136.htm
application.
APIHooks, by EliCZ
Free
On Windows systems, this tool http://www.anticrackin
intercepts API calls, allowing an g.sk/EliCZ/
attacker to analyze or even
manipulate the flow of data
through a program.
Frank Free
This Windows tool is used to http://www.atstake.co
analyze problems in string m/research/tools/inde
handling functions.
x.html
Feszer
by
Swiderski
©2003 Ed Skoudis
Code Analysis Tools - UNIX
Tool Name
Comm.
or Free
Summary
Where to Get It
http://freshmeat.net/p
rojects/sharefuzz/?to
pic_id=43
Sharefuzz, by Dave
Aitel
Free
On UNIX machines, this program
can be used to find holes from
local accounts on a machine.
SPIKE, by Dave Aitel
Free
On UNIX machines, this tool can http://www.immunitys
be used to find flaws in network ec.com/spike.html
protocol handling, especially in
web
servers
and
remote
procedure calls.
by Free
On UNIX machines, this tool can http://perens.com/Fre
find flaws with the way the eSoftware/
system frees memory, which
could lead to security exposures.
Michal Free
Multipurpose tracer, stateful analyzer http://razor.bindview.c
and partial decompiler for UNIX
om/tools/fenris/
Electric Fence,
Bruce Perens
Fenris, by
Zalewski
©2003 Ed Skoudis
Code Analysis Tools - Both
Tool Name
Comm
. or
Free
Summary
Where to Get
It
IDA Pro, by Data
Rescue
Commerc
ial
This program is the premier http://www.datares
code disassembler tool for cue.com
both Windows and Linux. It is
extremely powerful and very
widely used to find security
flaws.
Cenzic’s
Hailstorm
Commerc
ial
This powerful tool allows for http://www.cenzic.c
finding defects by injecting om/
faults into software.
People used to say that closed source was more secure because
attacker’s couldn’t analyze it as much
This is increasingly less true because of tools like these!
©2003 Ed Skoudis
SQL Slammer
So, how are they propagating their
exploits?
Increasingly, they are using worms
Remember SQL Slammer?
January, 2003: Fast-spreading worm on
the rampage
Patch SQL Server!
Am I running it?
Very hard to tell
Many products use it, and Microsoft doesn’t
make it easy to detect
©2003 Ed Skoudis
SQL Slammer Impact
Took much of South Korea off of the Internet
for several hours
Ironically, this limited its spread
By clogging links, the worm couldn’t spread as
quickly to the outside world
One Emergency 911 call center was taken off
line
Over 13,000 ATM (Money Machines) offline in
North America
Some airlines cancelled a few flights
©2003 Ed Skoudis
SQL Slammer Characteristics
Why did SQL Slammer cause such
damage?
People didn’t know they were running the
Microsoft SQL service
Fast spread via small size and UDP
Only 376 bytes
Attacked Microsoft SQL Service which
uses UDP
©2003 Ed Skoudis
Worm Efficiencies and TCP vs. UDP
To establish sequence numbers, TCP uses a threeway handshake to initiate a connection
SYN
SYN-ACK
ACK
Connection
UDP doesn’t…
Packet
A
©2003 Ed Skoudis
Packet
UDP-based Worms
Three-way
Handshake
Worm Spread via TCP
Worm Spread via UDP
Analogy: Spreading a cold in Grand Central Station
TCP: Shake everyone’s hand…
UDP: Lob infected ping pong balls
©2003 Ed Skoudis
Defenses Against Code Flaws & Worms
Keep your systems patched, with a well-defined
process for:
Learning about new patch availability
Acquiring and authenticating patches
Testing patches in a non-production environment
Rolling patches into production
Write secure code!
Education of software developers
Good book for Windows: Writing Secure Code, by Howard
and Leblanc
Good stuff for UNIX: http://www.dwheeler.com/secureprograms/ by D. Wheeler
Automated software checking tools
ITS4: www.cigital.com/its4/download.html
RATS: www.securesoftware.com/rats.php
Flawfinder: www.dwheeler.com/flawfinder/
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Trojan Horse Backdoors
Type of Trojan horse
backdoor
Characteristic
Analogy
Example tools in this
category
Application-Level
Trojan Horse
Backdoor
A separate
application runs on
the system
An attacker adds
poison to your
soup.
Sub7, BO2K, Tini,
etc.
Traditional RootKits
Critical Operating
System
components are
replaced.
An attacker
replaces your
potatoes with
poison ones
Lrk6, T0rnkit, etc.
Kernel-Level
RootKits
Kernel is patched.
An attacker
replaces your
tongue with a
poison one.
Knark, adore,
Kernel Intrusion
System,
rootkit.com, etc.
Application-level
Evil App
good
good
good
good
program program program program
Kernel
©2003 Ed Skoudis
Traditional RootKit
Trojan
login
Trojan
ps
Trojan
ifconfig
Kernel
good
tripwire
Kernel-level RootKit
good
login
good
ps
Kernel
good
ifconfig
good
tripwire
Trojan
Kernel Module
Maintaining Access – Trojan Horse Backdoors
New even stealthier Application-Level Trojan Horse
Backdoors
Setiri Written by Roelof Temmingh and Haroon Meer
Code shown August, 2002; no release scheduled
Standard functions
Upload file, execute program, download file
Uses invisible IE browser window and OLE to
communicate with browser to send data to attacker
over HTTPS
If personal firewall allows browser to send traffic to the
Internet, backdoor can communicate with attacker
Also gets through NAT, proxies, and stateful firewalls
©2003 Ed Skoudis
Setiri Architecture
HTTPS
HTTPS
HTTPS
Anonymizer
..
Victim
©2003 Ed Skoudis
Connection
Broker
(Web Server
with
Attacker’s
CGIs)
Anonymizer
STEP 1: Attacker somehow
installs Setiri on victim machine
HTTPS
Attacker
Kernel Level RootKits
An area that continues to get attacker’s attention is the
kernel-level RootKit
By operating in the kernel, the attacker has complete
control of the target machine
Hidden processes
Hidden files
Hidden network use (sniffing and port listeners)
Execution redirection
Three ways of implementing
Loadable Kernel Module
Patch kernel image on hard drive
Alter kernel in memory on running system! Yikes!!!
©2003 Ed Skoudis
Maintaining Access Defenses
Block access to Anonymizer.com
Works for base Setiri tool and relatives, but attacker
could use another anonymous proxy or connection
broker
Still, it’s a pretty reasonable idea
Anti-virus tools
Look for signatures in near future
Browser vendors (ahem…) possibly looking at
limiting actions of invisible browser
Additionally, protect your kernel!
St. Michael for Linux, by Tim Lawless, at
www.sourceforge.net
Okena and Entercept for Windows and Solaris
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Covering Tracks with
The Defiler’s Toolkit
Forensics now faces… anti-forensics
The Coroner’s Toolkit is very popular, along with its
descendent, TASK (www.atstake.com)
The Defiler’s Toolkit attempt to confuse forensics
investigations
Targets Linux Ext2fs file system, but ideas
could be extended to other platforms
By anonymous, released July, 2002
Available at
http://www.phrack.com/show.php?p=59&a=6
©2003 Ed Skoudis
Defiler’s Toolkit
Data hiding
Bad blocks inode points to blocks that don’t function properly
Attacker associates good blocks with the bad block inode and
stores data there
Carve out a segment of your hard drive and label it “bad”
Drive appears smaller, but TCT won’t look in the bad blocks
Data destruction with Necrofile
Undelete tools remove just the data, not the meta-data
(inodes and directory entries)
Necrofile – scrubs inodes clean, based on deletion time
criteria
Data destruction with Klismafile
Directory entries show deleted filenames and sizes
Klismafile searches for these entries and scrubs them
©2003 Ed Skoudis
Defending Against
The Defiler’s Toolkit
The Coroner’s Toolkit, as cool as it was, is a bit
outdated
Turn toward a more recent descendant of TCT, TASK
to get a better look at forensics data
In investigations, don’t forget to look in blocks marked
bad!
There could be some very useful data hidden in there
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Conclusions
Remember good ol’ Sun Tzu
Attackers keep improving their capabilities and tools
Don’t get discouraged
We must keep up with them
Understand their techniques
Deploy, maintain, and update effective defenses
Consider it an intellectual challenge… with job security
Just remember… It is the Golden Age
By remaining diligent, we can secure our systems!
©2003 Ed Skoudis
References – Keeping Up
The web:
www.sans.org
www.securityfocus.com
www.counterhack.net
Test your knowledge while having fun!
Monthly “Crack the Hacker” Challenge
www.counterhack.net
Willie Wonka and the Chocolate Hackery (Feb, 2003)
Hack to the Future (January, 2003)
How the Grinch Hacked Christmas (December, 2002)
Spider-Hack (November, 2002)
Robin Hack, Prince of Thieves (October, 2002)
The Princess Hack (September, 2002)
Crackers, Admins, and Sploits... Oh My! (July, 2002)
HACK WARS, Episode IV, A New Hack (June, 2002)
Backdoor Shell Game Face/Off (May, 2002)
©2003 Ed Skoudis