Information Networking Security and Assurance Lab National Chung Cheng University Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Description & Feature Operation mode Installation Example 1 (Unix-base) Example 2 (Windows-base) Summary Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Description & Feature Operation mode Installation Example 1 (Unix-base) Example 2 (Windows-base) Summary Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 4 Description The “Nessus” security scanner is a software which will audit remotely a given network and determine whether someone (or something - like a worm) may break into it, or misuse it in some way Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 5 Feature Free Powerful Fast Modular architecture Reliable Up-to-date (#nessus-update-plugins) Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 6 Outline Description & Feature Operation mode Installation Example 1 (Unix-base) Example 2 (Windows-base) Summary Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 7 Information Networking Security and Assurance Lab National Chung Cheng University WWW FTP Mail Proxy Nessus Server-nessusd Nessus Client The Client-Server Architecture

Information Networking Security and Assurance Lab National Chung Cheng University 8 Outline Description & Feature Operation mode Installation Example 1 (Unix-base) Example 2 (Windows-base) Summary Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 9 Environment Version  Platform  Intel X86 OS  Debian GNU/Linux Compiler  gcc-2.95 Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 10 Three Choices!! The easy and dangerous way!! The easy and less dangerous way!! Information Networking Security and Assurance Lab National Chung Cheng University The Debian fast way!!

Information Networking Security and Assurance Lab National Chung Cheng University 11 Start Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 12 Add User The command User name The way of auth Type the password The rule set for the user

Information Networking Security and Assurance Lab National Chung Cheng University 13 Start nessusd Information Networking Security and Assurance Lab National Chung Cheng University Run the nessusd as daemon!! Loading the plugins

Information Networking Security and Assurance Lab National Chung Cheng University 14 Outline Description & Feature Operation mode Installation Example 1 (Unix-base) Example 2 (Windows-base) Summary Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 15 Internet The router of EE The router of CCU The router of ISU WJL.ee.ccu linux.ee.isu Environment

Information Networking Security and Assurance Lab National Chung Cheng University 16 Configuration of nessus client

Information Networking Security and Assurance Lab National Chung Cheng University 17 Start the scan Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 18 Report Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 19 Report with HTML Format Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 20 Outline Description & Feature Operation mode Installation Example 1 (Unix-base) Example 2 (Windows-base) Summary Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 21 Internet The router of EE The router of CCU The router of ISU WJL.ee.ccu linux.ee.isu Environment

Information Networking Security and Assurance Lab National Chung Cheng University 22 Description NessusWX is a client program for Nessus security scanner which is designed specially for Windows platform Version  Download  zip Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 23 Setting

Information Networking Security and Assurance Lab National Chung Cheng University 24 Connect to nessus server Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 25 Create a session

Information Networking Security and Assurance Lab National Chung Cheng University 26 Execute

Information Networking Security and Assurance Lab National Chung Cheng University 27 View the result

Information Networking Security and Assurance Lab National Chung Cheng University 28 Report with HTML Format

Information Networking Security and Assurance Lab National Chung Cheng University 29 Export to the MySQL Database (1/4) First  Let the user can access database from the location Information Networking Security and Assurance Lab National Chung Cheng University The SQL command

Information Networking Security and Assurance Lab National Chung Cheng University 30 Export to the MySQL Database (2/4) Second  Create the database and the tables (create_tables.txt) Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 31 Export to the MySQL Database (3/4) Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 32 Export to the MySQL Database (4/4)

Information Networking Security and Assurance Lab National Chung Cheng University 33 Outline Description & Feature Operation mode Installation Example 1 (Unix-base) Example 2 (Windows-base) Summary Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University 34 An ounce of prevention is better than a pound of cure Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System

Information Networking Security and Assurance Lab National Chung Cheng University 36 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

Information Networking Security and Assurance Lab National Chung Cheng University 37 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

Information Networking Security and Assurance Lab National Chung Cheng University 38 Preface The goal of an initial response:  Confirm there is an incident  Retrieve the system’s volatile data OS:  Windows NT/2000/XP

Information Networking Security and Assurance Lab National Chung Cheng University 39 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

Information Networking Security and Assurance Lab National Chung Cheng University 40 What is important Don’t affecting any potential evidence  Prepare a complete response toolkit A live investigation is not the time to create or test your toolkit for the first time!!!

Information Networking Security and Assurance Lab National Chung Cheng University 41 The Utility (I) NameDescriptionSource cmd.exeThe command prompt for Windows NT/2000/XPBuilt in PsLoggedOnA utility that shows all users connected locally and remotelywww.foundstone.com rasusersShow which users have remote-access privilege on the target system NT Resource Kit (NTRK) netstatEnumerate all listening ports and all current connections to those ports Built in FportEnumerate all processes that opened any TCP/IP ports on a windows NT/2000/XP PslistEnumerate all running processes on the target systemwww.foundstone.com ListDLLsList all running processes (command-line argument, DLLs) nbtstatList the recent NetBIOS connections for approximately the last 10 mins Built in arpShow the MAC addresses of the systems that the target system has been communicating Built in killTerminate a processNTRK

Information Networking Security and Assurance Lab National Chung Cheng University 42 The Utility (II) NameDescriptionSource md5sumCreate MD5 hashes for a given filewww.cygwin.com rmtshareDsiplay the shares accessible on a remote machine NTRK netcatCreate a communication channel between two different systems _utilities cryptcatCreate an encrypted channel of communicationhttp://Sourceforge.net/projects/cryptcat PsLogListDump the contents of the event logswww.foundstone.com ipconfigDisplay interface configuration informationBuilt in PsInfoCollect information about the local system builtwww.foundstone.com PsFileShow files that are opened remotelywww.foundstone.com PsServiceShow information about current processes and threads auditpolDisplay the current security audit settingsNTRK doskeyDisplay the command history for an open cmd.exe shell Built in

Information Networking Security and Assurance Lab National Chung Cheng University 43 Preparing the Toolkit Label the response toolkit media  Case number  Time and date  Name of the investigator who created the response media  Name of the investigator using the response media

Information Networking Security and Assurance Lab National Chung Cheng University 44 Preparing the toolkit Check for dependencies with Filemon  Determine which DLLs and files your response tools depend on Create a checksum for the response toolkit  md5sum Write-protect any toolkit floppies

Information Networking Security and Assurance Lab National Chung Cheng University 45

Information Networking Security and Assurance Lab National Chung Cheng University 46 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

Information Networking Security and Assurance Lab National Chung Cheng University 47 Prelim “live”: power on Four options when retrieving information from a live system  The hard drive of the target system  In a notebook  Response floppy disk or other removable media  Remote forensic system using netcat or cryptcat

Information Networking Security and Assurance Lab National Chung Cheng University 48 Transferring Data with netcat Two advantage  Get on and off the target system quickly  Perform an offline review

Information Networking Security and Assurance Lab National Chung Cheng University 49 Transferring Data with netcat NT System Forensic System Time date loggedon fport pslist nbtstat -c : Run trusted commands on NT Server 2: Send output to forensics box via netcat 3: Perform off-line review md5sum output files

Information Networking Security and Assurance Lab National Chung Cheng University 50 Transferring Data with netcat Forensic workstation Target system

Information Networking Security and Assurance Lab National Chung Cheng University 51 Encrypting Data with cryptcat Has the same syntax and functions as the netcat command  Sniffer cannot compromise the information you obtain  Eliminates the risk of contamination or injection of data Two-man integrity rule

Information Networking Security and Assurance Lab National Chung Cheng University 52 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

Information Networking Security and Assurance Lab National Chung Cheng University 53 Collect the important information At minimum, volatile data prior to forensic duplication  System date and time  A list of the users who are currently logged on  Time/date stamps for the entire file system  A list of the currently running processes  A list of the currently open sockets  The applications listening on open sockets  A list of the systems that have current or had recent connections to the system

Information Networking Security and Assurance Lab National Chung Cheng University 54 Organizing and Documenting Your Investigation Start TimeCommand LineTrustedUntrustedMD5 Sum of Output Comment s 12:15:22type lmhosts | nc X3d2e531d.6553 ee93e eef3 12:15:27pslist | nc X1ded672ba8b2e bf5beef fe8 12:15:32netstat –an | nc X52285a efe eef3

Information Networking Security and Assurance Lab National Chung Cheng University 55 Collecting Volatile Data Top-ten list of the steps to use for data collection  Execute a trusted cmd.exe  Record the system time and date  Determine who is logged in to the system (and remote-access users, if applicable) PsLoggedOn rasusers  Record modification, creation, and access times of all files dir /?

Information Networking Security and Assurance Lab National Chung Cheng University 56 Collecting Volatile Data  Determine open ports netstat  List applications associated with open ports Fport winpop.exe  Netbus trojan windll.exe  GirlFriend trojan  List all running processes Pslist  List current and recent connections netstat arp nbtstat

Information Networking Security and Assurance Lab National Chung Cheng University 57 Collecting Volatile Data  Record the system time and date Sandwich your data-retrieval commands between time and date commands  Document the commands used during initial response doskey /history Scripting your initial response

Information Networking Security and Assurance Lab National Chung Cheng University 58 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

Information Networking Security and Assurance Lab National Chung Cheng University 59 Don’t affect your system Find evidence and properly remove rogue programs without disrupting any services

Information Networking Security and Assurance Lab National Chung Cheng University 60 Creating an In-Depth Response Toolkit auditpolDetermin the audit policy on a system NTRK regDump specific information (keys) within the NT/2000 Registry NTRK regdumpDump the Registry as a text fileNTRK pwdump3eDump the SAM database so that the passwords can be cracked NTLastMonitor successful and failed logons to a system SfindDetect files hidden within NTFS file streams AfindSearch a file system to determine files accessed during specific timeframes dumpelDump the NT/2000 event logsNTRK

Information Networking Security and Assurance Lab National Chung Cheng University 61 Collecting Live Response Data Two key sources of evidence on Windows NT/2000  The event logs  The Registry Four approach to obtain quite a bit of information  Review the event logs  Review the Registry  Obtain system passwords  Dump system RAM

Information Networking Security and Assurance Lab National Chung Cheng University 62 Review the event logs auditpol NTLast dumpel

Information Networking Security and Assurance Lab National Chung Cheng University 63 Successful logons

Information Networking Security and Assurance Lab National Chung Cheng University 64 Enumerate failed console logons

Information Networking Security and Assurance Lab National Chung Cheng University 65 List all successful logons from remote systems

Information Networking Security and Assurance Lab National Chung Cheng University 66 Review the Registry regdump  Create an enormous text file of the Registry reg query  Extract just the Registry key values of interest

Information Networking Security and Assurance Lab National Chung Cheng University 67 Obtaining System Passwords pwdump3e  Dump the passwords from the Security Accounts Manager (SAM) database

Information Networking Security and Assurance Lab National Chung Cheng University 68 Dumping System RAM userdump.exe (MS OEM Support Tools) Two types of memory  User mode (application) memory  Full-system memory

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems

Information Networking Security and Assurance Lab National Chung Cheng University 70 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

Information Networking Security and Assurance Lab National Chung Cheng University 71 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

Information Networking Security and Assurance Lab National Chung Cheng University 72 Preface Many Unix versions are not backward or forward compatible Four storage options  Local hard drive  Remote media such as floppy disks, USB drives, or tape drives  Hand  Forensic workstation over the network Best time  All are not online

Information Networking Security and Assurance Lab National Chung Cheng University 73 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

Information Networking Security and Assurance Lab National Chung Cheng University 74 The minimum information System date and time A list of the users who are currently logged on Time/Date stamps for the entire file system A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the systems that have current or recent connections to the system

Information Networking Security and Assurance Lab National Chung Cheng University 75 Follow these steps Execute a trusted shell Record the system time and date Determine who is logged on to the system Record modification, creation, and access times of all files Determine open ports List applications associated with open ports Determine the running processes List current and recent connections Record the system time Record the steps taken Record cryptographic checksums

Information Networking Security and Assurance Lab National Chung Cheng University 76 Executing a trusted shell Avoid to log-in with X-window Set-up your PATH equal to dot (.)

Information Networking Security and Assurance Lab National Chung Cheng University 77 Recording the system Time and Date This is command

Information Networking Security and Assurance Lab National Chung Cheng University 78 Who? command control terminal ttyn: logon at the console ptsn: over the network The local starting time of the connection The time used by all processes attached to that console The processor time used by the current process under the WHAT column

Information Networking Security and Assurance Lab National Chung Cheng University 79 Recording file Modification, Access, and Inode Change Times Access time (atime) Modification time (mtime) Inode change time (ctime)

Information Networking Security and Assurance Lab National Chung Cheng University 80 Access Time $man ls

Information Networking Security and Assurance Lab National Chung Cheng University 81 Inode Change Time Inode change time $man ls

Information Networking Security and Assurance Lab National Chung Cheng University 82 Modification Time Modification time

Information Networking Security and Assurance Lab National Chung Cheng University 83 Determine which Ports are Open Command

Information Networking Security and Assurance Lab National Chung Cheng University 84 Applications associated with Open Ports Command You must be root!!!! PID/Program name

Information Networking Security and Assurance Lab National Chung Cheng University 85 Applications associated with Open Ports In some other Unix-Like OS List all running processes and the file descriptors they have open

Information Networking Security and Assurance Lab National Chung Cheng University 86 Determine the Running Processes Command Indicate when a process began

Information Networking Security and Assurance Lab National Chung Cheng University 87 Recording the Steps Taken Command The file that log the keystrokes you type and output!! Another command: history

Information Networking Security and Assurance Lab National Chung Cheng University 88 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

Information Networking Security and Assurance Lab National Chung Cheng University 89 The files you want to collect The log files The configuration file The other relevant file

Information Networking Security and Assurance Lab National Chung Cheng University 90 Loadable Kernel Module Rootkits Rootkits  Collections of commonly trojaned system processes and scripts that automate many of the actions attackers want to do!!! LKMs are programs that can be dynamically linked into the kernel after the system has booted up

Information Networking Security and Assurance Lab National Chung Cheng University 91 Loadable Kernel Module Rootkits Rogue LKMs can lie about the results LKM rootkits  knark  adore  heroin When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide

Information Networking Security and Assurance Lab National Chung Cheng University 92 The important logs you must collect!! Binary log files  The utmp file, accessed with the w utility  The wtmp file, accessed with the last suility  The lastlog file, accessed with the lastlog utility  Process accounting logs, accessed with the lastcomm utility

Information Networking Security and Assurance Lab National Chung Cheng University 93 The important logs you must collect!! ASCII text log files  Web access logs  Xferlog (ftp log)  History log

Information Networking Security and Assurance Lab National Chung Cheng University 94 The important configuration files you want to collect!! /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.equic ~/.rhosts /etc/hosts.allow and /etc/hosts.deny /etc/syslog.conf /etc/rc crontab files /etc/inetd.conf and /etc/xinetd.conf

Information Networking Security and Assurance Lab National Chung Cheng University 95 Discovering illicit sniffers on Unix Systems Most Dangerous  More widespread than a single system  Have root-level access

Information Networking Security and Assurance Lab National Chung Cheng University 96 Discovering illicit sniffers on Unix Systems No sniffers Sniffers on your system

Information Networking Security and Assurance Lab National Chung Cheng University 97 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

Information Networking Security and Assurance Lab National Chung Cheng University 98 What? Pseudo-file system  An interface to kernel data structure Each process has a subdirectory in /proc that corresponds to it’s PID

Information Networking Security and Assurance Lab National Chung Cheng University 99 Example Start a executed file PID Go into the subdirectory The command you executed

Information Networking Security and Assurance Lab National Chung Cheng University 100 The fd subdirectories Standard Input Standard Output Standard Error The file descriptor opened The file descriptor that socket opened Another socket example!!

Information Networking Security and Assurance Lab National Chung Cheng University 101 Dump System Ram Two files your should collect  /proc/kmem  /proc/kcore

Information Networking Security and Assurance Lab National Chung Cheng University 102 A tech you can use!!!!! The command line is changed at runtime! Two parameter  argc An integer representing in the argv[] array  argv An array of string values that represent the command-line argument

Information Networking Security and Assurance Lab National Chung Cheng University 103 Example tcpdump –x –v –n  argv[0] = tcpdump  argv[1] = -x  argv[2] = -v  argv[3] = -n strcpy(argv[0], “xterm”)

Information Networking Security and Assurance Lab National Chung Cheng University 104 Example 2 The two parameter!

Information Networking Security and Assurance Lab National Chung Cheng University 105 Example 2 The tech you want to learn!!

Information Networking Security and Assurance Lab National Chung Cheng University 106 Example 2 Succeed ^_^

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System

Information Networking Security and Assurance Lab National Chung Cheng University 108 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 109 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 110 4W + 1H Who What When Where How

Information Networking Security and Assurance Lab National Chung Cheng University 111 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 112 Common Directory /var/log/ /usr/adm/ /var/adm/ On the log server Depend on what flavors of Unix you use!!

Information Networking Security and Assurance Lab National Chung Cheng University 113 System log(1/3) Captures events from programs and subsystems within Unix Controlled by /etc/syslog.conf syslogd Can log messages across a network

Information Networking Security and Assurance Lab National Chung Cheng University 114 System log(2/3) The facility Type: auth (security), authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0-7 The priority Level: debug, info, notice, warning, err, crit, alert, emerg The action /etc/syslog.conf

Information Networking Security and Assurance Lab National Chung Cheng University 115 System log(3/3) Time/Date HostName Program and PID Operation IP Address If the action field contain the string ” the use of a remote syslog server

Information Networking Security and Assurance Lab National Chung Cheng University 116 TCP Wrapper A host-base access control service (/etc/inetd.conf) /usr/sbin/tcpd 檢查 /etc/hosts.allow 有無符合的 rules 檢查 /etc/hosts.deny 有無符合的 rules 連線請求 Allow Yes No Yes Deny No Allow

Information Networking Security and Assurance Lab National Chung Cheng University 117 Other Network Logs Example  xferlog Time/DateThe number of seconds that the transfer took The remote host The number of bytes The transferred file The type of file transfer The direction of transfer The access mode

Information Networking Security and Assurance Lab National Chung Cheng University 118 su Command Logs /var/log/auth.log Successful for su Non-successful for su

Information Networking Security and Assurance Lab National Chung Cheng University 119 Logged-on User Logs utmp (who, w), wtmp (last)  Binary file Many common hacker programs, such as zap, can selectively remove entries from these files /var/log/wtmp /var/run/utmp

Information Networking Security and Assurance Lab National Chung Cheng University 120 History file Log all command, along with their command-line options In user’s home directory History file

Information Networking Security and Assurance Lab National Chung Cheng University 121 Some evidence you must care Link your.bash_history to /dev/null Some thing you must care!!

Information Networking Security and Assurance Lab National Chung Cheng University 122 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 123 grep The item you want to search The location Search the binary file Search the binary file with – a option -r option: recursive mode

Information Networking Security and Assurance Lab National Chung Cheng University 124 grep You can search the entire raw device!!

Information Networking Security and Assurance Lab National Chung Cheng University 125 find Search from the root directory! The regular Expression for “…” Obtaining something detail can man find

Information Networking Security and Assurance Lab National Chung Cheng University 126 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 127 atime, mtime, ctime Example for capture the specific atime!!

Information Networking Security and Assurance Lab National Chung Cheng University 128 SUID, SGID Allow programs operate with another (higher) privileges Search the suid file!!

Information Networking Security and Assurance Lab National Chung Cheng University 129 Some important file!! Configuration file  /etc/hosts.allow  /etc/hosts.deny  … Startup file  /var/spool/cron/  /usr/spool/cron/  /etc/rc.d  /etc/rc[0-6].d /tmp/  Something suspicious

Information Networking Security and Assurance Lab National Chung Cheng University 130 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 131 /etc/passwd, /etc/group UID GID The Home directory The login shell /etc/group

Information Networking Security and Assurance Lab National Chung Cheng University 132 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 133 Something example Use the ps and netstat command to detect the rouge process!!

Information Networking Security and Assurance Lab National Chung Cheng University 134 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 135 Your open services! When conduct your investigation of the Unix system, your will need to examine all network services as potential access points

Information Networking Security and Assurance Lab National Chung Cheng University 136 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 137 Something you must care! /etc/hosts.equiv /$HOME/.rhosts Sniffer  dsniff arpredirect Trust Relationship!! HostA HostB

Information Networking Security and Assurance Lab National Chung Cheng University 138 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 139 rootkits, LKMs What different  Modified or replaced? How to detect  External  Internal

Information Networking Security and Assurance Lab National Chung Cheng University 140 Some tool chkrootkit KSTAT chkrootkit KSTAT

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools

Information Networking Security and Assurance Lab National Chung Cheng University 142 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 143 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 144 The Goals Prevent similar attacks in the future Assess an attacker’s skill or threat level Determine the extent of a compromise Determine if any damage was done Determine the number and type of intruders Prepare yourself for successful subject interview if you catch the attacker Determine the attacker’s objectives and goals

Information Networking Security and Assurance Lab National Chung Cheng University 145 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 146 Statically Linked Programs A statically linked executable file contains all the code necessary to successfully run the application Don’t have any dependencies

Information Networking Security and Assurance Lab National Chung Cheng University 147 Dynamically Linked Programs Shared libraries  Contain commonly used functions and routines Reduce the size of the executable file Conserve system memory Update the shared libraries without the change of the original programs

Information Networking Security and Assurance Lab National Chung Cheng University 148 Shared Libraries System Memory Dynamic Program Static Program Statically Compiled Program Printf Function Contained Within the Program’s Object Code Dynamically Compiled Program Printf Stub to Reference other Memory Location Static Program vs. Dynamic Program

Information Networking Security and Assurance Lab National Chung Cheng University 149 Programs Compiled with Debug Options With debug options  Include a lot of information about the program and its source code

Information Networking Security and Assurance Lab National Chung Cheng University 150 The comparison of the file size The file size

Information Networking Security and Assurance Lab National Chung Cheng University 151 The stripped programs Strip is a function that discards all symbols from the object code to make a file much smaller and perhaps more optimal for execution The command line The smaller file size

Information Networking Security and Assurance Lab National Chung Cheng University Programs Packed with UPX (Ultimate Packer for eXecutables) An effective compression tool for executable files A hacker can obscure their illicit programs from signature-based IDS A review of the ASCII-formatted strings within the rogue code will show whether UPX was used to compress the executable

Information Networking Security and Assurance Lab National Chung Cheng University 153 An example of UPX

Information Networking Security and Assurance Lab National Chung Cheng University 154 An example of Symbol Extraction (1/2) $nm –a zapdynamic Debugging information is included, use $nm –al zapdebug Symbol value Symbol type

Information Networking Security and Assurance Lab National Chung Cheng University 155 An example of Symbol Extraction (2/2) Symbol type  Lowercase A local variable  Uppercase A global variable $man nm

Information Networking Security and Assurance Lab National Chung Cheng University 156 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 157 What and the step you should follow Static analysis is tool analysis performed without actually executing the rogue code The general approach to static analysis involves the following steps  Determine the type of file you are examining  Review the ASCII and Unicode strings contained within the binary file  Perform online research to determine if the tool is publicly available on computer security or hacker sites  Perform source code review if you either have the source code or believe you have identified the source code via online research

Information Networking Security and Assurance Lab National Chung Cheng University 158 Determine the Type of File The command The magic file

Information Networking Security and Assurance Lab National Chung Cheng University 159 Review the ASCII and Unicode Strings $strings –a filename $hexedit  Allow you to see Unicode and ASCII strings within a file at the same time Look for the following items  The name if the source code files before the application was compiled  The exact compiler used to create the file  The “help” strings in the tool  The error messages that the program displays  The value of static variable

Information Networking Security and Assurance Lab National Chung Cheng University 160 Performing Online Research and Source Code Review It’s very helpful to find the same tool Two occasion  The attacker leaves the source code on the system  Find the identical program from another source with the proper source code

Information Networking Security and Assurance Lab National Chung Cheng University 161 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 162 What and the task you should do Dynamic analysis of a tool takes place when you execute rogue code and interpret its interaction with the host operating system Methodology must includes the following tasks  Monitor the time/date stamps to determine what files a tool affects  Run the program to intercept its system calls  Perform network monitoring to determine if any network traffic is generated  Monitor how Windows-based executables interact with the Registry

Information Networking Security and Assurance Lab National Chung Cheng University 163 Set up your test environment You need to invest the time to set up the proper test environment  VMware Make sure that the test system is not connected to the Internet  Beacon packet  Phone home Or your can execute it on a closed network

Information Networking Security and Assurance Lab National Chung Cheng University 164 Intercept the system call User applications use system calls to request the kernel System trace ($strace)  Wiretap between a program and the operating system The output file Execute the rouge program

Information Networking Security and Assurance Lab National Chung Cheng University 165 The example_1 of strace

Information Networking Security and Assurance Lab National Chung Cheng University 166 The example_2 of strace (1/3)

Information Networking Security and Assurance Lab National Chung Cheng University 167 The example_2 of strace (2/3)

Information Networking Security and Assurance Lab National Chung Cheng University 168 The example_2 of strace (3/3)

Information Networking Security and Assurance Lab National Chung Cheng University 169 Conducting Analysis Beyond strace Debugging Decompiling  Linux Assembly web site  Tool Interface Standard’s and Manuals on the Mr. Dobbs Microprocessor Resources web site  objdump  nm  gdb

Information Networking Security and Assurance Lab National Chung Cheng University 170 Dynamic Analysis on a Windows System filemon  Provide a wiretap between running processes and the file system. regmon  Tap a process’s interaction with the Windows Registry listdlls  Show all of the DLLs needed by a process fport  Determine what port the rouge program opens flist  Determine if a process changes its process name after execution

Information Networking Security and Assurance Lab National Chung Cheng University 171 filemon

Information Networking Security and Assurance Lab National Chung Cheng University 172 regmon

Information Networking Security and Assurance Lab National Chung Cheng University 173 listdlls

Information Networking Security and Assurance Lab National Chung Cheng University 174 fport

Information Networking Security and Assurance Lab National Chung Cheng University 175 pslist

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment

Information Networking Security and Assurance Lab National Chung Cheng University 177 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 178 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 179 What and The Purpose Examine an Unknown malware binary (Open Source tools)  The Sleuth Kit  autopsy  strings  hexedit  … F.I.R.E.  Package all tools together in a bootable CD

Information Networking Security and Assurance Lab National Chung Cheng University 180 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 181 Under an Unknown Condition Possibly where it came from What the binary’s purpose is It may be possible to identify when the system was compromised & the binary installed May be also discover which user id facilitated the compromise of the system

Information Networking Security and Assurance Lab National Chung Cheng University 182 Binary Details From  The file size when extracted The file size within the archive The last modified time CRC number Userid, md5sum, …

Information Networking Security and Assurance Lab National Chung Cheng University 183 The strings command Parse an input file and output readable strings Sequentially program the code May deal with creating & starting services May be an ICMP back-door to a cmd.exe shell

Information Networking Security and Assurance Lab National Chung Cheng University 184 The hexedit command The purposes  Confirm the function of the application  Confirm who was involved in it’s creation or distribution (possibly) The command line Some information you interested!!

Information Networking Security and Assurance Lab National Chung Cheng University 185 The person may compile, write or created the zip file May be a ICMP back- door to a cmd.exe shell

Information Networking Security and Assurance Lab National Chung Cheng University 186 May be the hacker’s message smesses.exe and reg.exe: querying amd modifying registry entries The ip address

Information Networking Security and Assurance Lab National Chung Cheng University 187 Some DLL files KERNEL32.dll ADVAPI32.dll WS2_32.dll MSVCRT.dll MSVP60.dll

Information Networking Security and Assurance Lab National Chung Cheng University 188 The objdump command View library information about a binary executable -p option  Print the object header information command The time and date

Information Networking Security and Assurance Lab National Chung Cheng University 189 The kernel interface was dealing with pipes and handles so the application was talking to interface, processes or other applications!!

Information Networking Security and Assurance Lab National Chung Cheng University 190 The application was doing something to the systems services

Information Networking Security and Assurance Lab National Chung Cheng University 191 May be Socket & IOCTL calls, so the application is definitely communicating with external applications through a socket

Information Networking Security and Assurance Lab National Chung Cheng University 192 Shows the basic Terminal I/O communications through the standard MSVCRT library

Information Networking Security and Assurance Lab National Chung Cheng University 193 The f-prot command It’s a virus scanner Can Live-Update (/usr/local/f-prot/update-defs.sh) The command Nothing you can find

Information Networking Security and Assurance Lab National Chung Cheng University 194 All evidence leads me to decide An ICMP back-door to cmd.exe Default password may be loki Coded by Spoof Hacker group  MFC May be installed by local user Rich

Information Networking Security and Assurance Lab National Chung Cheng University 195 From Google 2.tar.gz 2.tar.gz Coded for windows version based on loki2 for Unix-Like OS

Information Networking Security and Assurance Lab National Chung Cheng University 196 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 197 What A bootable Linux CD that turns any machine into a forensics workstation Boot the entire system without touching the local system Open Source

Information Networking Security and Assurance Lab National Chung Cheng University 198 How F.I.R.E. runs within a RAM disk that it does not touch the system or images Log the information you need to the /data/ directory

Information Networking Security and Assurance Lab National Chung Cheng University 199 Two quick ways of using F.I.R.E Burnt the ISO to a CD & boot from it The ISO can be booted from within VMWare

Information Networking Security and Assurance Lab National Chung Cheng University 200 Autopsy Graphic interface Some features Case Management File Analysis File Content Analysis File Type Hash Database Timeline of File Activity Keyword Search Meta Data Analysis Image Details Image integrity Notes Reports Logging Open Design Client Server Model

Information Networking Security and Assurance Lab National Chung Cheng University 201 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 202 The compromised image From the Digital Forensics Research Workshop Download site 

Information Networking Security and Assurance Lab National Chung Cheng University 203 The VMWare Select the ISO image The beginning!!

Information Networking Security and Assurance Lab National Chung Cheng University 204 Set-up your network(1/2) Prompt mode Start menu!! Many options

Information Networking Security and Assurance Lab National Chung Cheng University 205 Set-up your network(2/2) Command line Set up the IP Address, Netmask and default gateway!!

Information Networking Security and Assurance Lab National Chung Cheng University 206 Log you activity Like The script command! Right clicking->Shells/Consoles->logging->respawn all logging xterms The data was saved to /data/consolelogs/$user/$date-$tty.log

Information Networking Security and Assurance Lab National Chung Cheng University 207 consh and replay consh (shell script)  Do the logging replay (command)  #replay May tty_ttyp0.log.timing May tty_ttyp0.log

Information Networking Security and Assurance Lab National Chung Cheng University 208 Start Command You must start your browser to this URL for starting

Information Networking Security and Assurance Lab National Chung Cheng University 209 Set-up the Case select /data/

Information Networking Security and Assurance Lab National Chung Cheng University 210 Add Host

Information Networking Security and Assurance Lab National Chung Cheng University 211 Add Image

Information Networking Security and Assurance Lab National Chung Cheng University 212 Analysis type File analysis  Browse the various files available on the image, including deleted files Keyword search  Search the image for various keywords File type  Run the sorter that counts the various file types on the image Image details  Contain summary data about the image Meta Data  You can enter a meta data number for search Data Unit  Allow for the entry of a sector number

Information Networking Security and Assurance Lab National Chung Cheng University 213 Some test(1/6)

Information Networking Security and Assurance Lab National Chung Cheng University 214 Some test(2/6) Enter what you want to search Quick search

Information Networking Security and Assurance Lab National Chung Cheng University 215 Some test(3/6) summary

Information Networking Security and Assurance Lab National Chung Cheng University 216 Some test(4/6)

Information Networking Security and Assurance Lab National Chung Cheng University 217 Some test(5/6)

Information Networking Security and Assurance Lab National Chung Cheng University 218 Some test(6/6)

Information Networking Security and Assurance Lab National Chung Cheng University 219 The final step Create Data File Create Timeline tar & md5sum

Information Networking Security and Assurance Lab National Chung Cheng University 220

Information Networking Security and Assurance Lab National Chung Cheng University 221

Information Networking Security and Assurance Lab National Chung Cheng University 222 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 223 Do not touch the local system

Information Networking Security and Assurance Lab National Chung Cheng University 224 Additional Information(1/2) VNC Internet VNC connection

Information Networking Security and Assurance Lab National Chung Cheng University 225 Addition Information(2/2) Some legal issue  Go to the INSA Knowledge-Base