CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Firewalls and Intrusion Detection Systems
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Covering Tracks and Hiding 1 Covering Tracks and Hiding.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.
Embedding Covert Channels into TCP/IP
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks
Port Scanning.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Forensic and Investigative Accounting
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
Covert Communications Simple Nomad DC Feb2004.
1 ELEN602 Lecture 2 Review of Last Lecture Layering.
Firewalls A note on the use of these ppt slides:
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Single Host Firewall Simplest type of firewall—one host acts as a gateway.
CIT 380: Securing Computer Systems
Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Linux Networking and Security
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CHAPTER 9 Sniffing.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
DoS/DDoS attack and defense
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions.
CITA 352 Chapter 2 TCP/IP Concepts Review. Overview of TCP/IP Protocol –Language used by computers –Transmission Control Protocol/Internet Protocol (TCP/IP)
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Port Scanning James Tate II
Domain 4 – Communication and Network Security
Port Scanning (based on nmap tool)
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems
Overview of Networking & Operating System Security
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels

CIT 380: Securing Computer SystemsSlide #2 Covert Channels 1.Covert Channels 2.Using Other Protocols 3.Hiding within a Protocol 4.Local Covert Channels 5.Defending against Covert Channels

CIT 380: Securing Computer SystemsSlide #3 Covert Channels Covert channel: a path of communication that was not designed for such communication. IDS look for abnormal traffic –Use traffic that already exists: ping, DNS, HTTP. –Avoid creating abnormal traffic patterns. Use encryption –Avoids keyword detection by IDS. –Prevents incident response from viewing data.

CIT 380: Securing Computer SystemsSlide #4 Using Other Protocols Use non-TCP/UDP protocols –Don’t show up on port scan. –Don’t show up on netstat on machine. Use standard protocols for other purposes –DNS –HTTP Reverse the direction of traffic –Internal machine initiates covert channel.

CIT 380: Securing Computer SystemsSlide #5 Loki Tunnel shell using ICMP echo packets. –Uses ICMP data for commands/responses. –Uses Blowfish encryption algorithm. Loki2 can also tunnel via DNS lookups. –Can swap between ICMP and DNS tunneling. Other ICMP shells, often use echo reply only –icmp_backdoor –sneaky-sneaky –lyceum

CIT 380: Securing Computer SystemsSlide #6 TunnelShell Multi-protocol backdoor with evasion. ICMP: standard ICMP shell. TCP: uses only ACK packets to communicate, bypassing packet filters, and showing no port used on local machine. UDP: UDP shell without binding port. IP: IP without using a higher level protocol. Fragment: uses fragmented IP packets.

CIT 380: Securing Computer SystemsSlide #7 WWW Shells Simple shells –Web program that acts as a shell. –ex: CGI Telnet, PHP Shell Reverse WWW Shell –Web client that checks server for commands. –Use predefined or random time intervals. –Looks like a browser surfing the web. HTTP request (shell prompt) GET /cgi- bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krj HTTP/1.0 HTTP response (ls command) g5mAlfbknz

CIT 380: Securing Computer SystemsSlide #8 HTTP Tunnels Tunnel any protocol over HTTP –Bypass firewalls. –Most software supports proxies. –Can use SSL for encryption. –Malware embeds self in IE as a BHO, then uses HTTP to phone home with IE’s permissions. GoToMyPC –Commercial HTTP tunnel. –Remote desktop access protocol like VNC.

CIT 380: Securing Computer SystemsSlide #9 TCP/IP Headers Requirements –Headers must not be used by end systems. –Headers must not be modified by routers. IP Headers –IP Identification –IP options (may be modified by routers) TCP Headers –Sequence numbers –Bits reserved for future use. –TCP options (may be modified by routers)

CIT 380: Securing Computer SystemsSlide #10 Covert_TCP IP covert channel –Insert one byte into IPID field of each packet. TCP sequence number channel –Inserts one byte into sequence numbers. –Sends SYN with encoded ISN. –Server responds with RST to acknowledge. –Each byte transferred requires two packets.

CIT 380: Securing Computer SystemsSlide #11 Covert_TCP TCP ACK number bounce channel –Inserts one byte into the ACK number. –Uses 3 hosts: client, server, bounce server Operation 1.Client: SYN w/ encoded ISN, spoofing IP of server. 2.Bounce server: SYN/ACK or RST w/ encoded ISN+1 to spoofed source IP (server) 3.Server: receives bounced packet, recovers byte from ISN.

CIT 380: Securing Computer SystemsSlide #12 Nushu Passive covert channel. –Inserts data into TCP packets from other apps. –Alters sequence numbers to contain data. –Runs as a Linux kernel module. Receiver sniffs data off network. –Receiver IP address not in any packets. –Receiver must be at gateway where it can sniff all of the packets sent by Nushu.

CIT 380: Securing Computer SystemsSlide #13 Steganography A covert channel via data files. Share data files openly –Use file sharing sites like Flickr. –Use sites with photographs like Ebay. –Hack another site and replace data files. Both sides must know –Steganographic technique. –Locations used to dump files.

CIT 380: Securing Computer SystemsSlide #14 Local Covert Channels Binary coding –At each time interval one bit is transferred. –If condition true, then bit is 1, otherwise 0. CPU Usage –Use 100% CPU to signal a 1. Disk Usage –Create enormous file to signal a 1. File Locking –Writer locks file to transfer a 1. –If reader cannot lock file, it must be locked, so it’s a 1.

CIT 380: Securing Computer SystemsSlide #15 Covering your Covering Tracks Covert backdoors hide data from network. But process listings will show backdoors. How can you hide the backdoors? –Alter process / command names. –Use rootkit to hide processes. –Embed backdoor in kernel mode rootkit.

CIT 380: Securing Computer SystemsSlide #16 Detecting Covert Channels Pattern matching –Use snort or similar tool to match patterns in cleartext channels. Counting connections –If backdoor creates a TCP connection for each command, an abormal # of TCP flows exists. Timing analysis –Analyze packet timing and data size to identify interactive sessions on unexpected ports/protos. Entropy analysis –ICMP packets with entropy values of natural language may be covert channel, while entropy values of random data may indicate an encrypted covert channel.

CIT 380: Securing Computer SystemsSlide #17 Stopping Covert Channels Host-based security. –Stop attackers from gaining access to install. Use stateful firewall –Blocks ACK tunneling. Use firewall to limit outgoing data –Stop ICMP echo replies. –Should your db server be browing the web?

CIT 380: Securing Computer SystemsSlide #18 References 1.Matt Bishop, Introduction to Computer Security, Addison-Wesley, Scott Campbell, “Detecting Illicit ICMP Communication Channels,” 3.daemon9, “Project Loki,” Phrack, Vol 7, Issue 49, daemon9, “Loki 2: The Implementation,” Vol 7, Issue 51, Craig H. Rowland, “Covert Channels in the TCP/IP Protocols Suite,” Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet Security, 3 rd edition, O’Reilly & Associates, Ed Skoudis, Counter Hack Reloaded, Prentice Hall, J. Christian Smith, “Covert Shells,” van Hauser, “Placing Backdoors through Firewalls” (reverse www shell),