Seminar Series
Breaking News – The Latest Computer
Attacks and Defenses
Ed Skoudis
June 6, 2003
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
A Quote from One of History’s Greatest Hackers
 If you know the enemy and know
yourself, you need not fear the result of a
hundred battles.
 If you know yourself but not the enemy,
for every victory gained you will also
suffer a defeat.
 If you know neither the enemy nor
yourself, you will succumb in every
battle.
—Sun Tzu, The Art of War
©2003 Ed Skoudis
Purpose
 We’re not here to teach you how to hack.…
 However, to defend yourself, you must understand
your adversaries’ strategies and tactics
 We will discuss prominent recent advances in
computer attack techniques…
 …To gain an understanding of how to defend against
new attacks
 We are not endorsing these attack tools
 But you have to be ready to defend against them
 We will also discuss a variety of useful defensive
tools… but check to make sure you have permission to
use them! Talk to the system owners…
©2003 Ed Skoudis
General Trends –
The Storm after the Quiet
 For six months, we saw a major drop in
the release of new vulnerabilities and
attack tools after September 11, 2001
 Shock over terrorism
 Fear of law enforcement and PATRIOT Act
 Concern about DMCA
Sept 11, 2001
Relatively quiet
©2003 Ed Skoudis
March 2002
Now
The gloves are off!
Major new attacks and tools
General Trends –
Software Distro Site Attacks
 Trojaning software distribution sites
 Hack into web/ftp site and alter software to include backdoor
 Everyone who downloads and uses the tool is impacted!
 May, 2002: issri.org - IRC client compromised
 May 17-24, 2002: Monkey.org - Dsniff, Fragroute, and
Fragrouter hacking tools compromised
 July 30 – August 1, 2002: Openssh.org, OpenSSH
security tool compromised
 Sept 28 - Oct 6, 2002: ftp.sendmail.org, sendmail mail
server compromised
 Nov 11-13, 2002: tcpdump.org, tcpdump sniffer and
libpcap
 Some pretty big names have fallen to this attack!
 What to do?
 Check hashes… across multiple mirrors
 Don’t put new software directly into production… test first!
©2003 Ed Skoudis
Tcpdump Trojan
Admin downloads
Trojan Horse version
of tcpdump and/or libpcap
package
Attacker’s
Web Server
1
3
tcpdump
install
package
2
4
Download
and Run
configure
script
services
script
C program
5
Victim’s
System
backdoor
If D character,
run shell and shovel
input to attacker
shell
©2003 Ed Skoudis
Generate,
compile,
and execute
6
Poll for control
character, A, D, or M
On TCP port 1963
Shovel shell across network
7
Attacker types
commands here
for execution on
victim’s machine
Tcpdump Trojan Horse Details
 Interesting Notes:
 A, D, and M for commands… where do
those characters come from?
 Why TCP port 1963?
 Similarity to sendmail Trojan and others
 Shoveling shell, pushing out a connection
that is really incoming command shell
access
 More easily gets through firewalls
 The sniffer itself won’t show traffic destined
for the backdoor (OUCH!)
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Reconnaissance
 Many Script Kiddies skip this step
 The best attackers do comprehensive reconnaissance
 Adrian Lamo claims that Google is is favorite hacking
tool
 Useful public information is plentiful
 Admin names, addresses, phone numbers, financial info,
business partners
 Job requisitions
 Technologies in use, IP addresses, DNS servers, network
topology, open ports, etc…
 Portals for reconnaissance and attacks
 www.allwhois.com - Registration data for over 66 countries
 www.samspade.org - Ping, DNS, traceroute, etc.
 www.attackportal.net - Misc. recon and attack tools
©2003 Ed Skoudis
Reconnaissance Defenses
 Look for information leakage from your
systems before the bad guys find it
 Conduct reconnaissance against your own
environment
 Use the same tools as the bad guys… but be
careful!
 If you use their web sites or tools for searches, they
could monitor your actions
 Probably best not to do this from your production
network
 Do it from a separate ISP
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Why Port Scanning?
 TCP and UDP each have ports
 Servers listen on ports
 They act like doors - Data goes out one port and into another
port
 Attacker wants to know which ports are open
 Let’s focus on TCP port scanning
 Most common protocol on top of IP… it’s used by HTTP,
telnet, FTP, and many other services
 TCP uses the three-way handshake
SYN
A
SYN-ACK
ACK
Connection
©2003 Ed Skoudis
B
“Normal” Port Scanning
 Attackers send SYN packets, and watch for SYNACK responses to indicate a listening port
SYN to TCP Port 1
SYN to TCP Port 2
TARGET
SYN to TCP Port 3
Eureka!
Port 3 is
Listening!
SYN-ACK from Port 3
 Downside for attacker: The scan can be traced back
to the attacker’s machine using the source IP address
©2003 Ed Skoudis
What if Attacker
Spoofs Source Address?
Syn to TCP Port 1
Syn to TCP Port 2
TARGET
Syn to TCP Port 3
SYN-ACK from Port 3
RESET!!!
Response goes
to the address the
attacker is spoofing.
 Not very useful, because SYN-ACK responses don’t
come back to attacker
 The attacker can’t figure out if the port is open or
closed, so the port scan is a waste of time
©2003 Ed Skoudis
IP Identification Field Predictability…
 The IP Identification field in the IP Header is used for
packet fragmentation
 Used to group all fragments
together for packet reassembly
 If there are no fragments, the
IP stack assigns some value to
VersHlen Svc Type Total Length
this field
Identification Flags Frag Offset
 When some systems send packets, TTL Protocol Header Checksum
they just increment the IP ID field
Source IP Address
by one for each packet
Destination IP Address
 Each packet gets an IP ID value
IP Options (if any)
Padding
that is one bigger than previous
Data
packet’s value
…..
©2003 Ed Skoudis
Predictable IP ID – Idle Scans in Nmap
3
Remember IP ID = X
TARGET
2
SYN-ACK, with IP ID = X
1
SYN
Machine
That Gets
Framed
©2003 Ed Skoudis
IP Identification Scanning
(A.K.A. “Idle” Scanning)
Spoofed Syn to TCP Port 3
TARGET
4
7
SYN
5
SYN-ACK
from Port 3
6
RESET, IP ID = X+1
8
 ANALYZE STEP 8! SYN-ACK
 If IP ID of step 8 is X+2, the
port is listening.
 If IP ID of step 8 is X+1, the
port
is closed.
©2003
Ed Skoudis
Machine
That Gets
Framed
Scanning - Paketto Keiretsu
 Suite of tools for doing TCP/IP tricks
 By Dan Kaminsky
 Released October 8, 2002
 Available at http://www.doxpara.com/
 One capability: Very rapid port
scanning
 Separate the packet sender process
from receiver
 Sender transmits packets as quickly as
network will carry them
 Receiver sniffs responses
 Sender and receiver out of synch, but
that’s ok
 The idea could be extended…
©2003 Ed Skoudis
Attacker
Sndr
Rcvr
SYNSYNs
ACKs
Port Scanning Defenses
 Action item:
 Run netstat –na to see what’s listening (on UNIX
and Windows)
 Alternatively, use Fport on Windows and Lsof on
UNIX
 For those services you don’t need, close
unused ports
 Disable unneeded services
 In Windows: Check
StartProgramsAdministrative ToolsServices
 In UNIX: Check /etc/rc.d/init.d and /etc/xinetd
 For incident handling, realize that these scans
are possible
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Gaining Access – Detailed Code Analysis Tools
 Consider recent months – major holes in Apache,
Internet Explorer, OpenSSL, OpenSSH, Sendmail,
Snort… the list keeps growing!
 We’ve seen a recent revolution in detailed vulnerability
analysis tools
 Used to find buffer overflows, heap overflows, etc.
 Think of these tools as X-Rays or microscopes to look
inside executable code at a fine grained level
 Look for common mistakes that let an attacker take
over a system
 Step through machine language code, line by line
 To learn more about such tools, check out the
Honeynet Project Reverse Challenge at:
 http://www.honeynet.org/reverse/
©2003 Ed Skoudis
Code Analysis Tools - Windows
Tool Name
Comm. or
Free
APISpy32, by Yariv
Kaplan
Free
Summary
On Windows systems, this tool
monitors all API calls, showing
the value of all variables passed
along the way.
Where to Get It
http://www.internals.c
om/utilities_main.htm
Heap Debugger, by Free
Anonymous
On Windows systems, this tool http://www.programm
lists all memory locations not ersheaven.com/zone
properly
released
by
an 24/cat277/4136.htm
application.
APIHooks, by EliCZ
Free
On Windows systems, this tool http://www.anticrackin
intercepts API calls, allowing an g.sk/EliCZ/
attacker to analyze or even
manipulate the flow of data
through a program.
Frank Free
This Windows tool is used to http://www.atstake.co
analyze problems in string m/research/tools/inde
handling functions.
x.html
Feszer
by
Swiderski
©2003 Ed Skoudis
Code Analysis Tools - UNIX
Tool Name
Comm.
or Free
Summary
Where to Get It
http://freshmeat.net/p
rojects/sharefuzz/?to
pic_id=43
Sharefuzz, by Dave
Aitel
Free
On UNIX machines, this program
can be used to find holes from
local accounts on a machine.
SPIKE, by Dave Aitel
Free
On UNIX machines, this tool can http://www.immunitys
be used to find flaws in network ec.com/spike.html
protocol handling, especially in
web
servers
and
remote
procedure calls.
by Free
On UNIX machines, this tool can http://perens.com/Fre
find flaws with the way the eSoftware/
system frees memory, which
could lead to security exposures.
Michal Free
Multipurpose tracer, stateful analyzer http://razor.bindview.c
and partial decompiler for UNIX
om/tools/fenris/
Electric Fence,
Bruce Perens
Fenris, by
Zalewski
©2003 Ed Skoudis
Code Analysis Tools - Both
Tool Name
Comm
. or
Free
Summary
Where to Get
It
IDA Pro, by Data
Rescue
Commerc
ial
This program is the premier http://www.datares
code disassembler tool for cue.com
both Windows and Linux. It is
extremely powerful and very
widely used to find security
flaws.
Cenzic’s
Hailstorm
Commerc
ial
This powerful tool allows for http://www.cenzic.c
finding defects by injecting om/
faults into software.
 People used to say that closed source was more secure because
attacker’s couldn’t analyze it as much
 This is increasingly less true because of tools like these!
©2003 Ed Skoudis
SQL Slammer
 So, how are they propagating their
exploits?
 Increasingly, they are using worms
 Remember SQL Slammer?
 January, 2003: Fast-spreading worm on
the rampage
 Patch SQL Server!
 Am I running it?
 Very hard to tell
 Many products use it, and Microsoft doesn’t
make it easy to detect
©2003 Ed Skoudis
SQL Slammer Impact
 Took much of South Korea off of the Internet
for several hours
 Ironically, this limited its spread
 By clogging links, the worm couldn’t spread as
quickly to the outside world
 One Emergency 911 call center was taken off
line
 Over 13,000 ATM (Money Machines) offline in
North America
 Some airlines cancelled a few flights
©2003 Ed Skoudis
SQL Slammer Characteristics
 Why did SQL Slammer cause such
damage?
 People didn’t know they were running the
Microsoft SQL service
 Fast spread via small size and UDP
 Only 376 bytes
 Attacked Microsoft SQL Service which
uses UDP
©2003 Ed Skoudis
Worm Efficiencies and TCP vs. UDP
 To establish sequence numbers, TCP uses a threeway handshake to initiate a connection
SYN
SYN-ACK
ACK
Connection
 UDP doesn’t…
Packet
A
©2003 Ed Skoudis
Packet
UDP-based Worms
Three-way
Handshake
Worm Spread via TCP
Worm Spread via UDP
 Analogy: Spreading a cold in Grand Central Station
 TCP: Shake everyone’s hand…
 UDP: Lob infected ping pong balls
©2003 Ed Skoudis
Defenses Against Code Flaws & Worms
 Keep your systems patched, with a well-defined
process for:




Learning about new patch availability
Acquiring and authenticating patches
Testing patches in a non-production environment
Rolling patches into production
 Write secure code!
 Education of software developers
 Good book for Windows: Writing Secure Code, by Howard
and Leblanc
 Good stuff for UNIX: http://www.dwheeler.com/secureprograms/ by D. Wheeler
 Automated software checking tools
 ITS4: www.cigital.com/its4/download.html
 RATS: www.securesoftware.com/rats.php
 Flawfinder: www.dwheeler.com/flawfinder/
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Trojan Horse Backdoors
Type of Trojan horse
backdoor
Characteristic
Analogy
Example tools in this
category
Application-Level
Trojan Horse
Backdoor
A separate
application runs on
the system
An attacker adds
poison to your
soup.
Sub7, BO2K, Tini,
etc.
Traditional RootKits
Critical Operating
System
components are
replaced.
An attacker
replaces your
potatoes with
poison ones
Lrk6, T0rnkit, etc.
Kernel-Level
RootKits
Kernel is patched.
An attacker
replaces your
tongue with a
poison one.
Knark, adore,
Kernel Intrusion
System,
rootkit.com, etc.
Application-level
Evil App
good
good
good
good
program program program program
Kernel
©2003 Ed Skoudis
Traditional RootKit
Trojan
login
Trojan
ps
Trojan
ifconfig
Kernel
good
tripwire
Kernel-level RootKit
good
login
good
ps
Kernel
good
ifconfig
good
tripwire
Trojan
Kernel Module
Maintaining Access – Trojan Horse Backdoors
 New even stealthier Application-Level Trojan Horse
Backdoors
 Setiri Written by Roelof Temmingh and Haroon Meer
 Code shown August, 2002; no release scheduled
 Standard functions
 Upload file, execute program, download file
 Uses invisible IE browser window and OLE to
communicate with browser to send data to attacker
over HTTPS
 If personal firewall allows browser to send traffic to the
Internet, backdoor can communicate with attacker
 Also gets through NAT, proxies, and stateful firewalls
©2003 Ed Skoudis
Setiri Architecture
HTTPS
HTTPS
HTTPS
Anonymizer
..
Victim
©2003 Ed Skoudis
Connection
Broker
(Web Server
with
Attacker’s
CGIs)
Anonymizer
STEP 1: Attacker somehow
installs Setiri on victim machine
HTTPS
Attacker
Kernel Level RootKits
 An area that continues to get attacker’s attention is the
kernel-level RootKit
 By operating in the kernel, the attacker has complete
control of the target machine




Hidden processes
Hidden files
Hidden network use (sniffing and port listeners)
Execution redirection
 Three ways of implementing
 Loadable Kernel Module
 Patch kernel image on hard drive
 Alter kernel in memory on running system! Yikes!!!
©2003 Ed Skoudis
Maintaining Access Defenses
 Block access to Anonymizer.com
 Works for base Setiri tool and relatives, but attacker
could use another anonymous proxy or connection
broker
 Still, it’s a pretty reasonable idea
 Anti-virus tools
 Look for signatures in near future
 Browser vendors (ahem…) possibly looking at
limiting actions of invisible browser
 Additionally, protect your kernel!
 St. Michael for Linux, by Tim Lawless, at
www.sourceforge.net
 Okena and Entercept for Windows and Solaris
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Covering Tracks with
The Defiler’s Toolkit
 Forensics now faces… anti-forensics
 The Coroner’s Toolkit is very popular, along with its
descendent, TASK (www.atstake.com)
 The Defiler’s Toolkit attempt to confuse forensics
investigations
 Targets Linux Ext2fs file system, but ideas
could be extended to other platforms
 By anonymous, released July, 2002
 Available at
http://www.phrack.com/show.php?p=59&a=6
©2003 Ed Skoudis
Defiler’s Toolkit
 Data hiding
 Bad blocks inode points to blocks that don’t function properly
 Attacker associates good blocks with the bad block inode and
stores data there
 Carve out a segment of your hard drive and label it “bad”
 Drive appears smaller, but TCT won’t look in the bad blocks
 Data destruction with Necrofile
 Undelete tools remove just the data, not the meta-data
(inodes and directory entries)
 Necrofile – scrubs inodes clean, based on deletion time
criteria
 Data destruction with Klismafile
 Directory entries show deleted filenames and sizes
 Klismafile searches for these entries and scrubs them
©2003 Ed Skoudis
Defending Against
The Defiler’s Toolkit
 The Coroner’s Toolkit, as cool as it was, is a bit
outdated
 Turn toward a more recent descendant of TCT, TASK
to get a better look at forensics data
 In investigations, don’t forget to look in blocks marked
bad!
 There could be some very useful data hidden in there
©2003 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
©2003 Ed Skoudis
Conclusions




Remember good ol’ Sun Tzu
Attackers keep improving their capabilities and tools
Don’t get discouraged
We must keep up with them
 Understand their techniques
 Deploy, maintain, and update effective defenses
 Consider it an intellectual challenge… with job security
 Just remember… It is the Golden Age
 By remaining diligent, we can secure our systems!
©2003 Ed Skoudis
References – Keeping Up
 The web:
 www.sans.org
 www.securityfocus.com
 www.counterhack.net
 Test your knowledge while having fun!
 Monthly “Crack the Hacker” Challenge
 www.counterhack.net
 Willie Wonka and the Chocolate Hackery (Feb, 2003)
 Hack to the Future (January, 2003)
 How the Grinch Hacked Christmas (December, 2002)
 Spider-Hack (November, 2002)
 Robin Hack, Prince of Thieves (October, 2002)
 The Princess Hack (September, 2002)
 Crackers, Admins, and Sploits... Oh My! (July, 2002)
 HACK WARS, Episode IV, A New Hack (June, 2002)
 Backdoor Shell Game Face/Off (May, 2002)
©2003 Ed Skoudis