ppt14 - UTPA Faculty Web

advertisement
2-UNIX LIVE RESPONSE
John P. Abraham
Professor
University of Texas Pan American
UNIX LIVE RESPONSE








Almost identical to windows
The only difference will be the commands that we’ll use to acquire the
evidence.
We will be running the same netcat commands to transfer the live
Response to the forensic workstation.
First, on the forensic workstation, we will run the following:
 Nc –v –l –p 10000 > command.txt
Now, any data sent to TCP port 10,000 on our forensic workstation
will be saved to command.txt.
On the victim computer, you will want to run a command to collect
Live Response data.
The output of the command will be sent over our TCP channel on port
10,000 in this case.
 Command | nc forensic_workstation_ip_address 10000
After these commands have completed, you will press ctrl-c to break
the netcat session, and our file command.txt will contain all the
data from the command we executed. A simple MD5 checksum of
command.txt can be calculated so that you may prove it s
authenticity.
ANALYZING VOLATILE DATA




The System Date and Time
 Date command
Current Network Connections
 Netstat –an
 We find an intrusion on Port 515 which is the port on
which the printerdaemon typically listens.
 We go to http://www.securityfocus.com to find that this
is a vulnerable TCP port. This may have been the
initial point of intrusion.
Open TCP or UDP Ports
 Netstat –an command
 Through examining the open ports, we hope to discover
any backdoors the attacker may have established.
Netstat –anp will list the process number that opened the
port also. This only works with Linux and will not work on
UNIX
EXECUTABLES OPENING TCP OR UDP
PORTS






IN UNIX we use lsof for list open files. It displays the processes that open
ports, but also lists the files that the process has open. It is the single most
powerful tool in our live response toolkit for UNIX systems.
Lsof –n produces lengthy output
The fourth bolded line on page 52 shows that file descriptor #2 (aka the
standard out) is redirected to /dev/null. This indicates that the errors from this
program will not be sent to the console but instead will be thrown away.
The next bolded line shows that the “printer” port is involved in an active
connection for this process.
The last two lines show an open TCP port (3287) and an established
connection. It would be pretty safe to say at this point that the IP address of
94.90.84.93 is probably the intruder’s origin.
Because we brought a trusted copy of lsof from an uncompromised machine,
we have to surmise that the mechanism the intruder used to hide the open port
must exist at the kernel level in addition; we will see that /tmp/.kde does not
show up on the file system when we list the time and date stamps. That
solidifies our theory that the kernel is probably trojaned, possibly with a
loadable kernel module (LKM). A good resource:

Malware: Fighting Malicious Code
CONTINUED..

Running processes
 To view the open processes:



Ps –aux
This command lists all the running processes on the system. And the users
running them.
Open Files
 Use


Lsof
To view open files
Once we run on our victim machine, we realize that the first
process has a current working directory of /tmp/.kde. The second
process has a current working directory of /tmp/.kde/brute/john1.6/run. This is not good! Someone may be running John the
Ripper on BRJDEF. John the Ripper is a common password
cracking program that attackers employ to learn users’
passwords.
The Internal Routing Table
 We obtain the routing table




Netstat –rn
In this case, the routing table looks intact.
CONTINUED..


Loaded Kernel Modules
 Because we suspect that the kernel may have been
trojaned, we will want to review all the loaded kernel
modules. This is done with the lsmod command. When
we dump the loaded kernel modules, we see the
information on page 57.
 There exist ways to hide a module after it is loaded.
After a module is hidden there is no way (in the Live
Response process) we can detect that it is installed.
Furthermore, when we investigate Phrack magazine, we
see there are other ways to infect the kernel without
even loading a module.
Mounted File Systems
 The mounted file systems can be obtained from issuing
either the mount command or the df command.

Output of the df command on bottom of page 57.
ANALYZING NONVOLATILE DATA

we would like to obtain several key pieces of information
while the machine is still running. The type of data we
will discuss in this section is nonvolatile. This means we
could also retrieve this information from a forensic
duplication if we so desired, but that option may be
difficult or impossible to achieve. Some of the information
we would like to acquire is as follows:









system version and patch level
file system time and date stamps
file system MD5 checksum values
Users concurrently logged on
A history of logins
Syslog logs
User accounts
User history files
Suspicious files
System Version and Patch Panel
 When we issue the command uname –a we
receive all the available operating system
version information.
 The patch level information for a Linux
machine is a little more difficult to retrieve
because it is dependent on the Linux
distribution used to create the system.
 In this case, it is RedHat 7.0 so we issue the
rpm –qa command
 File System Time and date stamps.
 File system time and date stamps can be
obtained using the same command for
windows

CONTINUED..

The following command we can print out the file
permissions, last access date, last access time,
modification date, modification time, inode change date,
inode change time, user ownership, group ownership,
file size, and full path of the file for the compete file
system:


Find / -printf “%m;%Ax;%AT; %Tx;%TT;%Cx;%CT;%U;%G;%s;%p\n”
We will sort all the files by the time the inode was last
changed (also known as the “ctime”). We do this
because there is no creation date on Unix file systems.
The change date is as close as we can get to the creation
time. After ruling out the other files changed on
September 8, 2003, we have subset of files that we
cannot explain. Pg 60.
It seems as if someone installed the Net::Telnet module.
Perhaps this was a dependency to one of the tools that the
intruder ran on our system.
 We also see that the /etc/passwd/ and /etc/shadow were
altered. This is usually done when an intruder adds a
backdoor in the form of a valid user on the victim machine.
 The other thing we see is two versions of lpd. The first
instance in the table is probably the real lpd program.

FILE SYSTEM MD5 CHECKSUM VALUES





MD5 Checksum- is a 128-bit mathematical
fingerprint of the contents in a file, for every
file on the file system.
After we calculate the MD5s, we can compare
them to databases of known MD5s.
www.hashkeeper.org
There is also the NSRL software reference
library. These databases will help us eliminate
the known files and leave us with only
unknown files to examine.
To calculate the MD5 checksum for every file
on the system, you would issue the following
command:
Find / -type f –xdev –exec md5sum –b {} \;
 The results for this sweep are on the DVD.

USERS CURRENTLY LOGGED ON
The users who are currently logged on are saved in
the /var/run/utmp log. We could reconstruct this
information from a forensic duplication, but it is
much easier to acquire this information with the w
command. Output on page 62.
 We see that root, Curtis, and lpd are all logged in.
the most important line that should be evident her
is the lpd login lp is a valid system account, and
perhaps the attacker hooped that lpd would blend
in.
 We also see that the attacker’s IP address is
94.90.84.93.
 Even though these logs are in binary format, the
format is well known. If the attacker chose to run
a program called zap2 he could have easily zapped
the lpd login that we see here.

A HISTORY OF LOGINS
A history of logins is saved in the /var/log/wtmp binary log, so we
can reconstruct this information form a forensic duplication. We
can view this information easily during our Live Response.
Syslog logs
 Unix systems have a syslog facility
 The syslog daemon listens for messages from either local
programs or other servers on the Internet and logs them according
to the /etc/syslog.conf configuration file.
 The only logs that will be relevant to our investigation are
/var/log/messages and /var/log/secure.
 Using netcat we transfer relevant logs to our forensic
workstation for further analysis.
 In the messages log, we see that on September 8, at
approximately 14:35, a series of events begins that does not make
much sense (and that is difficult to even copy to this page). The
message looks like binary data written to the log. This is typically
an indication of a buffer overflow attack. When buffer overflows
occur, they break valid programs. When programs break, garbage
is typically generated in the log. In this scenario, we cannot see
what program was attached. Other overflows will report the
name of the service that wrote to the log, such as the rpc.statd
buffer overflow, which reports that rpc.statd wrote to the log.
 On the log we notice that kjones failed at login and then
successfully log in as matt shortly after. Dead end as explained
on top of page 66.




User Accounts (page 66)
 We know the attacker is creating backdoors on BRJDEV
at this point. Let us examine the /etc/passwd file to see
whether the intruder has added any rogue user
accounts.
 Once we see it, the normal system and user accounts
make up every line except the last. We see that there e
is a new account, called lpd. It has a root directory of/
and, more importantly, a user ID of zero. This means
that when lpd logs in, he will have root privileges, even
though he will have a different password than root.
User History Files
 History files are commands the user typed at the
prompt. The files may contain commands that failed, or
we may discover the hacker’s methodology. The one
account we know the attacker used was the lpd account.
When we examine lpd’s home directory (/), we do not
find a history file. We also know that the attacker used
the Richard account because it initiated the
investigation. We do, however, find a bsh history file for
Richard. Pg 67. The bolded lines show activity
that Richard did not recognize.
SUSPICIOUS FILES

If we were not acquiring a forensic duplication of BRJDEV, we
could transfer any suspicions file with our netcat.


Because BRJDEV’s kernel was probably trojaned, we would
collect any of the suspicions files on the file system through the
forensic duplication process to make sure we have a pristine copy
of the tools.
 There is a way we can acquire copies of running processes. In
windows, an executable cannot be deleted while it is running in
memory. The operating system locks the file and it cannot be
removed. That is a benefit for us during an investigation. In
Unix, an attacker can run a file, such as datapipe, and delete the
original binary. If we were to shut down the machine in a
graceful manner, we would not have a copy of this file for analysis
later. This is where the /proc file system comes into play
The /proc file system does not actually exist on the hard drive. It
exists in memory and references running processes and other system
information. By entering the /proc directory, you see directories
named after integers, such as 1348.


Nc –v –l –p 10000 > filename
Cat filename | nc forensic_workstation_ip_adress 10000
Download