Covering Tracks and Hiding 1 Covering Tracks and Hiding.

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Guide to Network Defense and Countermeasures Second Edition
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
Intrusion Detection Systems and Practices
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
COEN 252: Computer Forensics Router Investigation.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks
Network Security CPSC6128 – Lecture 4 Post Exploitation 1.
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Forensic and Investigative Accounting
Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools.
1 Web Server Administration Chapter 9 Extending the Web Environment.
Covert Communications Simple Nomad DC Feb2004.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
CIS 450 – Network Security Chapter 5 – Session Hijacking.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CHAPTER 9 Sniffing.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Sniffer, tcpdump, Ethereal, ntop
Server Hardening Moses Ike and Paul Murley TexSAW 2015 Credit to Daniel Waymel and Corrin Thompson.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).
Role Of Network IDS in Network Perimeter Defense.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
By Daniel Grim. What Is Windows NT? IPSEC/Windows Firewall NTFS File System Registry Permissions Managing User Accounts Conclusion Outline.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Port Knocking Benjamin DiYanni.
Module Overview Installing and Configuring a Network Policy Server
Backtracking Intrusions
TRANSMISSION CONTROL PROTOCOL
Lecture 3: Secure Network Architecture
6. Application Software Security
Presentation transcript:

Covering Tracks and Hiding 1 Covering Tracks and Hiding

Covering Tracks and Hiding 2 In This Chapter…  Hiding evidence o Altering log files o Hidden files  Practical covert channels

Covering Tracks and Hiding 3 Intro  Attacks happen o See zone-h.comzone-h.com  Some attackers want attention  Recently, more stealthy attacks o “Silent” attacks (botnets) o Attacker must hide tracks

Covering Tracks and Hiding 4 Altering Event Logs EEven rootkits leave traces in log files WWith admin privilege oAoAttacker could delete log files oPoProbably a bad idea… AA better idea: selectively edit logs HHow?

Covering Tracks and Hiding 5 Logs in Windows  EventLog is logging service o Files ending with.LOG o E.g., SECURITY, SYSTEM, APPLICATION  This info moved to main event logs o SECEVENT.EVT, SYSEVENT.EVT, … o The.EVT files read by admin using Windows Event Viewer

Covering Tracks and Hiding 6 Windows Event Viewer

Covering Tracks and Hiding 7 Windows Logs  SECEVENT.EVT o Failed logins, policy changes, attempts to access files without permission, etc.  SYSEVENT.EVT o E.g., details of driver failure  APPEVENT.EVT o Application-related issues

Covering Tracks and Hiding 8 Windows Logs  Altering event logs o At minimum, must change SECEVENTs  EVT files “locked” and binary format o Cannot open/edit with usual tools  With physical access… o …boot to Linux and edit logs o Not practical in most cases

Covering Tracks and Hiding 9 Windows Logs  Event editing tools o None for XP (as of writing) o Do exist for NT/2000  WinZapper o Attacker can selectively edit EVT files o But, must reboot machine to restart EventLog service

Covering Tracks and Hiding 10 WinZapper

Covering Tracks and Hiding 11 UNIX Logging  Log files usually in ASCII text  With privilege, easy to edit  Config file tells where log files located  Attacker can locate files, and edit  Also “accounting files” o utmp, wtmp, lastlog o Binary files, so harder to edit

Covering Tracks and Hiding 12 UNIX Logging  Tools to edit accounting files o Many at o Simple Nomad effect on many versions o Others similar tools: wtemped, marry, cloak, logwedit, wzap, zapper  Accounting file editing tool is standard part of most rootkits

Covering Tracks and Hiding 13 Shell History Files  List of command line commands issued  Attacker would like to edit this  Files are in ASCII, easy to edit o Can insert lines too o Why might this be useful?  Edit to shell file written to shell history o When shell is exited gracefully o How to get around this?

Covering Tracks and Hiding 14 Defenses  Activate logging o Log according to some specified policy  Periodically audit logging  Allow plenty of space for logs  Restrictive permissions on log files  Use separate server for logging o Logs redirected to logging server o Not everything can be redirected

Covering Tracks and Hiding 15 Defenses  Encrypt log files  Make log files append-only o Little more than a “speed bump”  Store logs on unalterable media o E.g., non-rewritable CD/DVD

Covering Tracks and Hiding 16 Hidden Files  Why would attacker use hidden files? o Store attack tools o Save sniffed passwords, etc.  What does “hidden” mean? o Maybe just hard to find o Or easily overlooked

Covering Tracks and Hiding 17 Hidden Files  In UNIX, prepend “.” to filename  Use “.” followed by space(s) o What the … ?  Other ideas?

Covering Tracks and Hiding 18 Hidden Files in Windows  Use “hidden” attribute o Very lame

Covering Tracks and Hiding 19 Hidden Files in Windows

Covering Tracks and Hiding 20 Hidden Files in Windows  Alternate Data Streams (ADS) o Available in NTFS o Multiple streams of data can be associated with a single file o These streams can store any info o “Usual” view is just one such stream o Fairly effective means of hiding files

Covering Tracks and Hiding 21 Defenses  File integrity checking  Host-based IDS  In Windows, use ADS-aware tools o CrucialADS, LADS, for example

Covering Tracks and Hiding 22 Covert Channels  Suppose attacker has… o Gotten access o Installed evil code/tools o Covered their tracks, etc.  Attacker still needs to communicate o How to do this without detection?  Covert channel o “communication path not intended as such by system’s designers”

Covering Tracks and Hiding 23 Covert Channels

Covering Tracks and Hiding 24 Covert Channels  In networked systems… o Covert channels are everywhere!  When does a covert channel exist? 1. Sender and receiver have a shared resource 2. Sender able to vary property of resource that receiver can observe 3. Communication between sender and receiver can be synchronized

Covering Tracks and Hiding 25 Covert Channels  Examples of covert channels?  How to eliminate covert channels? o Easy: eliminate all communication and shared resources o DoD gave up on eliminating covert channels o Instead, try to reduce the capacity o Does this solve the problem? o Does it help?

Covering Tracks and Hiding 26 Tunneling  Q: What is tunneling?  A: One protocol carries another o E.g., SSH used to carry Telnet o E.g., TCP/CP (RFC 1149 and RFC 2549)RFC 1149RFC 2549  Tunneling used for covert channel o We look at Loki, Reverse WWW Shell

Covering Tracks and Hiding 27 Loki  Suppose o Attacker 0wns server o Server network allows incoming ICMP (ping/traceroute)  Loki pronounced “low key” o Provides shell access over ICMP o “Better” than TCP/UDP backdoors

Covering Tracks and Hiding 28 Loki  Trudy installs Loki server on server o Lokid (“low key dee”) o Must run as root o Grabs incoming ICMP packets from kernel  Trudy installs Loki client on her machine o Data sent to Lokid using ICMP o Under radar of most backdoor detection (Why?) o ICMP has no concept of a port

Covering Tracks and Hiding 29 Loki

Covering Tracks and Hiding 30 Loki  Optionally, uses UDP port 53 o Switch between ICMP/UDP on the fly  Supports encryption o Using Blowfish encryption o Diffie-Hellman key exchange  Other similar tools o CCTT and MSNShell

Covering Tracks and Hiding 31 Reverse WWW Shell  Covert channel using HTTP  Reverse WWW Shell installed on machine on network o Every 60 seconds, it “phones home” o I.e,. contacts external master server o The “reverse” part: it pulls in commands o Looks like normal Web traffic

Covering Tracks and Hiding 32 Reverse WWW Shell

Covering Tracks and Hiding 33 Reverse WWW Shell  Sometimes username/pwd required to access Web o If known, Reverse WWW Shell can automate  Note that other protocols could be used  Reverse WWW Shell idea used by some legitimate software o E.g., remote GUI access to machine o See GoToMyPC.comGoToMyPC.com

Covering Tracks and Hiding 34 Covert Channels and Malware  Consider spyware to steal passwords  How to exfiltrate passwords? o Piggyback on legitimate outbound traffic o In Windows, IE is a natural choice o HTTP/HTTPS  Malware often designed as a Browser Helper Object (BHO) for IE

Covering Tracks and Hiding 35 Headers as Covert Channels  Lots of room for covert channels o E.g., unused bits o But possible to be more clever  Tools o Covert_TCP o Nushu

Covering Tracks and Hiding 36 IP & TCP Headers

Covering Tracks and Hiding 37 Covert_TCP  Covert_TCP can make use of o IP identification o TCP sequence number o TCP ACK number  Lots of other possible covert channels o Only 3 above used by Covert_TCP  NAT or proxy will cause problems o But IP ID may still work thru NAT

Covering Tracks and Hiding 38 Covert_TCP  IP identification o Insert one ASCII character o Read it at other end  TCP sequence number o Send SYN with ASCII character as initial sequence number o Reply with RESET o Ironically, RESET acts as ACK

Covering Tracks and Hiding 39 Covert_TCP  TCP ACK number o Most sophisticated option o Involves server (sender), client (receiver), and unwitting “bounce server” o Data “bounces” off bounce server

Covering Tracks and Hiding 40 Covert_TCP  TCP ACK number  Client send SYN packet to bounce server o Source address spoofed to client’s address o ISN is one less than desired ASCII character  Bounce server responds to client o Either SYN ACK or RESET o Either way, ISN incremented by 1  Server recovers ASCII character (ISN)

Covering Tracks and Hiding 41 Covert_TCP

Covering Tracks and Hiding 42 Nushu  Uses a “passive” covert channel o Data sent from host to gateway  Embeds info in other (real) packets  Alters ISN to contain data  Assumes attacker also controls gateway o At gateway, read data from ISN and forward it  How much data can be transferred?

Covering Tracks and Hiding 43 Nushu

Covering Tracks and Hiding 44 Nushu

Covering Tracks and Hiding 45 Nushu

Covering Tracks and Hiding 46 Nushu  Implemented as Linux kernel module  Creates “issue” with seq numbers  Spse the good guys o …sniff packets on host o …and same packets elsewhere on LAN o What anomaly will they see?

Covering Tracks and Hiding 47 Defenses  No effective defense against covert channels once attacker has access  So, keep attackers out o Secure configuration o Apply patches o Antivirus o Monitor for BHOs in IE

Covering Tracks and Hiding 48 Defenses  Know what is normal o Good luck!  Network-based IDS o Commercial: Sourcefire Intrusion Sensors, ISS RealSecure, Cisco Secure IDS, Network Flight Recorder o Freeware: Snort

Covering Tracks and Hiding 49 Conclusions

Covering Tracks and Hiding 50 Summary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.