how hackers cover their tracks ece 4112 may 1st, 2007
DESCRIPTION
Introduction Lab Content Conclusions Questions. How Hackers Cover Their Tracks ECE 4112 May 1st, 2007. Group 1 Chris Garyet Christopher Smith. Introduction. This lab presents techniques for hackers to cover their tracks - PowerPoint PPT PresentationTRANSCRIPT
Aktueller Status
How Hackers Cover Their Tracks ECE 4112
May 1st, 2007
Group 1
Chris Garyet
Christopher Smith
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• This lab presents techniques for hackers to cover their
tracks
• Most experienced blackhats follow a series of steps to compromise a system
• Probe network for weak links through proxy server
• Use direct or indirect methods
• Ensure system is not a honeypot
• Disguise and hide mischievous software
• Cover tracks by editing log files
• With this knowledge a system administrator can easily discover the intrusion and attempt to trace the hacker
Introduction
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Background
• Hackers want to attack anonymously
• Utilize SOCKS 4 or 5 Proxy Servers
• Generally chained together and encrypted
• Tor: http://tor.eff.org/index.html.en
• Proxychains: http://proxychains.sourceforge.net/
• Lab layout
• RedHat 7.2 communicating through RedHat WS 4
• Connect to Apache Webserver
Section 1: Proxies
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Exercise 1.1 (Simulates SOCKS proxy using SSH)
• Create SSH tunnel: ssh –N –D 7001 57.35.6.x
• Setup Netscape
• Connect to Apache Webserver: 138.210.237.99
• NMAP thru proxy
Section 1: Proxies
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Background
• Honeypot system is a trap for malicious hackers
• Two important types
• Low-Interaction Honeyd
• High-Interaction Honeynet
• Most honeypots use VMware emulate multiple systems on one computer
• Examine how to detect VMware is running on compromised machine
Section 2: HoneyPot Detection
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Website devoted to honeypot detection
http://www.trapkit.de/tools/index.html
• Scoopy_doo
• Checks target machine register values against known VMware values
• Runs in Linux and Windows
• Jerry
• Uses I/O backdoor in VMware binary
• Examines value of register EAX
Section 2: HoneyPot Detection
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Background
• Once a system has been compromised the hacker must hide his presence
• One way to do this is by hiding the files the hacker uses to exploit the target machine
• Linux and Windows machines have different file systems and thus require different hiding mechanisms
• Undeletable folders are another nuisance administrators face
• http://archives.neohapsis.com/archives/sf/ms/2001-q2/att-1116/01-THE-END-OF-DELETERS-v2.1.txt
Section 3: Hiding Files
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Exercise 3.1 (Hiding Files in Linux)
• Hide files with the “.” method
• Hide files with ext2hide
• http://e2fsprogs.sourceforge.net/
• http://sourceforge.net/projects/ext2hide/
Section 3: Hiding Files
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Exercise 3.2 (Hiding Files in Windows)
• Hide files with chmod properties
• Hide files in the Alternate Data Stream in NTFS
Section 3: Hiding Files
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Background
• Log files can indicate a machine has been compromised
• Can also give away “trade secrets” and lead to exploit patches
Section 4: Editing & Removing Log Files
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Editing logs in Linux
• Linux logs can be modified with the proper tools
• Syslogd is ASCII encoded and can be edited with any text editor
• UTMP, WTMP, and LASTLOG need rootkit tool
Section 4: Editing & Removing Log Files
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Editing logs in Windows
• Windows logs modified and cleared with the Event Viewer
• Logs for application failures and security warnings including failed login attempts
Section 4: Editing & Removing Log Files
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Background
• An attacker always wants to attack through indirect machines
• Hides the compromised machine and therefore the hacker’s whereabouts
• HP JetDirect allows indirect launching of attacks
Section 5: Indirect and Passive Attacks
Introduction
Lab Content
Conclusions
Questions
Aktueller Status• Exercise 5.1 (HP JetDirect Exploitation)
• HiJetter: http://www.phenoelit.de/hp/download.html
• Store files and scripts
• Create websites: *Printer IP*/hp/device/
• Run NMAP attacks through it
Section 5: Indirect and Passive Attacks
Introduction
Lab Content
Conclusions
Questions
Aktueller Status
Conclusion
Introduction
Lab Content
Conclusions
Questions
• Covering your tracks is key for effective hacking
• Avoid Honeypots to reuse exploits and methods
• Hiding files and changing log files effectively covers tracks
• Running scans and attacks behind cover machines helps protect identity
Aktueller Status
Questions
Introduction
Lab Content
Conclusions
Questions
?