the new breed of hacker tools & techniques ed skoudis vp, security strategy predictive systems...
TRANSCRIPT
The New Breed of Hacker Tools & Techniques
Ed SkoudisVP, Security StrategyPredictive [email protected]
© 2002, Ed Skoudis and Predictive Systems
"Crack the Hacker" Challenge
Win a key-chain USB Hard Drive!
http://searchwebmanagement.discussions.techtarget.com
Look for skoudis
Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/[email protected]^[email protected]/82!viewtype=threadDate&skip=&expand=
© 2002, Ed Skoudis and Predictive Systems
Key Points
General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions
© 2002, Ed Skoudis and Predictive Systems
General Trends
The rise of anti-disclosure Full-disclosure has its problems—tell everyone everything Anti-disclosure has a whole new set of problems Famous Microsoft letter on Information Anarchy Driving some things under ground
Kiddies don't have everything… …but what is lurking out there?
Hacktivism In times of war, attackers can make a political point
Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem)
A focus on tools getting more stealthy Hiding has tremendous benefits for an attacker
© 2002, Ed Skoudis and Predictive Systems
Key Points
General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions
© 2002, Ed Skoudis and Predictive Systems
Wireless Attacks
Wireless technology is getting much cheaper Base stations for less than $200, with
wireless cards under $100 IEEE 802.11b standard very popular Employees setting up their own access points so
they can roam around the halls Very dangerous!
War driving With a laptop and wireless card, an attacker can
drive down the street and join many wireless LANs!
© 2002, Ed Skoudis and Predictive Systems
Wireless Misconfigurations
Many wireless access points (a.k.a. base stations) are configured with no security
In some installations, users think SSIDs are passwords They are not! Blank or default SSIDs are common
Access points often respond to broadcast requests asking for the SSID
SSIDs are sent in clear text and can be sniffed
© 2002, Ed Skoudis and Predictive Systems
NetStumbler - Premier Tool for War Driving
NetStumbler, by Marius Milner http://www.netstumbler.com Windows-based (95, 98, ME, 2000, XP)
And PocketPC (Mini Stumbler)… but not NT
© 2002, Ed Skoudis and Predictive Systems
Other Tools For War Driving
Wi-scan (Perl script) http://www.dis.org/wl/ Ties in geography (using GPS) with SSID
Airsnort http://airsnort.sourceforge.net/ Cracks WEP keys Runs on Linux, requires Prism2 chipset
(Linksys), and needs ~500 Meg of data Airopeek
www.wildpackets.com/products/airopeek Commercial
© 2002, Ed Skoudis and Predictive Systems
War Driving Defenses
Set SSID to difficult-to-guess value Can still be broadcasted, sniffed, or brute forced Not at all effective!!
MAC address filtering at access point Wireless card MAC addresses can be spoofed
Dsniff supports this Set WEP keys, and rotate them periodically
Remember, WEP can be cracked Best Defense - Use Virtual Private Network
All data from end system through wireless device to VPN gateway encrypted and authenticated
Establish policy for these items Check out www.counterhack.net for examples
© 2002, Ed Skoudis and Predictive Systems
Key Points
General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions
© 2002, Ed Skoudis and Predictive Systems
What is a Buffer Overflow?
Seminal paper on this technique by Aleph One titled “Smashing the Stack for Fun and Profit”
Allows an attacker to execute arbitrary commands on your machine
Take over system or escalate privileges Get root or admin privileges
Based on putting too much information into undersized receptacles Caused by not having proper bounds checking
in software
© 2002, Ed Skoudis and Predictive Systems
A Normal Stack
Programs call their subroutines, allocating memory space for function variables on the stack
The stack is like a scratchpad for storing little items to remember
The stack is LIFO The return pointer (RP)
contains the address of the original function, so execution can return there when function call is doneTop of
Memory
Bottom ofMemory
Function CallArguments
Return Pointer
Buffer 1(Local Variable 1)
Buffer 2(Local Variable 2)
...
... FillDirection
Normal Stack
© 2002, Ed Skoudis and Predictive Systems
Smashing The Stack
User data is written into the allocated buffer by the function
If the data size is not checked, return pointer can be overwritten by user data
Attacker places exploit machine code in the buffer and overwrites the return pointer
When function returns, attacker’s code is executed
Top ofMemory
Bottom ofMemory
Function CallArguments
New Pointer toexec code
Machine Code:execve(/bin/sh)
Buffer 2(Local Variable 2)
...
...
Smashed Stack
Buffer 1 Space is overwritten
FillDirection
Return Pointeris overwritten
© 2002, Ed Skoudis and Predictive Systems
Improving the Odds that the Return Pointer Will be OK
Include NOPs in advance of the executable code
Then, if your pointer goes to the NOPs, nothing will happen
Execution will continue down the stack until it gets to your exploit
NOPs can be used to detect these exploits on the network
Many ways to do a NOP
Smashed Stack
Top ofMemory
Function CallArguments
New Pointer toexec code
NOPNOPNOPNOPNOP
Machine Code:execve(/bin/sh)
...
Buffer 1 Space is overwritten
Return Pointeris overwritten
© 2002, Ed Skoudis and Predictive Systems
Polymorphic Buffer Overflow
In April, 2001, ADMutate released by K2 http://www.ktwo.ca/security.html
ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit Using techniques borrowed from virus writers
Works on Intel, Sparc, and HPPA processors
Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD
© 2002, Ed Skoudis and Predictive Systems
How ADMutate Works
We want functionally equivalent code, but with a different appearance "How are you?" vs. "How ya doin'?" vs.
"What's up?"
Exploit consists of 3 elements NOPs Exec a shell code Return address
Pointer toexec stack code
NOPNOPNOPNOPNOP
Machine Code:execve(/bin/sh)
© 2002, Ed Skoudis and Predictive Systems
Mutation Engine
ADMutate alters each of these elements NOP substitution with operationally inert commands Shell code encoded by XORing with a randomly
generated key Return address modulated – least significant byte
altered to jump into different parts of NOPs
Modulated Pointer toNOP Substitutes
NOP substituteAnother NOP
Yet another NOPA different NOP
Here's a NOP
XOR'ed Machine Code:execve(/bin/sh)
© 2002, Ed Skoudis and Predictive Systems
What About Decoding?
That’s nice, but how do you decode the XOR'ed shell code? You can't just run it, because it is gibberish
until it's decoded So, add some commands that will decode it Can’t the decoder be detected by IDS?
The decoder is created using random elements Several different components of decoder
(e.g., 1,2,3,4,5,6,7) Various decoder components can be
interchanged (e.g., 2-3 or 3-2) Each component can be made up of
different machine language commands The decoder itself is polymorphic
Modulated Pointer toNOP Substitutes
NOP substituteAnother NOP
Yet another NOPA different NOP
Here's a NOP
XOR'ed Machine Code:execve(/bin/sh)
PolymorphicXOR Decoder
© 2002, Ed Skoudis and Predictive Systems
ADMutate – Customizability!
New version allows attacker to apply different weights to generated ASCII equivalents of machine language code Allows attacker to tweak the statistical
distribution of resulting characters Makes traffic look more like “standard” for a
given protocol, from a statistical perspective Example: more heavily weight characters
"<" and ">" in HTTP Narrows the universe of equivalent
polymorphs, but still very powerful!
© 2002, Ed Skoudis and Predictive Systems
ADMutate Defenses
Defend against buffer overflows Apply patches – defined process Non-executable system stacks
Solaris – OS Setting Linux – www.openwall.com NT/2000 – SecureStack from
www.securewave.com Code Review – educate developers
Detection: IDS vendors at work on this capability now Snort release in Feb 2002
Looks for variations of NOP sled
© 2002, Ed Skoudis and Predictive Systems
Key Points
General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions
© 2002, Ed Skoudis and Predictive Systems
Hidden Backdoors
Attacker takes over your system and installs a backdoor to ensure future access Backdoor listens, giving shell access
How do you find a backdoor listener?
Sometimes, they are discovered by noticing a listening port Nmap port scan across the network Running "netstat –na" locally Running lsof (UNIX) or Inzider
(Windows)
Network
Backdoorlistenson portABC
© 2002, Ed Skoudis and Predictive Systems
Sniffing Backdoors
Who says a backdoor has to wait listening on a port?
Attackers don't want to get caught They are increasingly using stealthy backdoors
A sniffer can gather the traffic, rather than listening on an open port Non-promiscuous sniffing backdoors
Grab traffic just for one host Promiscuous sniffing backdoors
Grab all traffic on the LAN
© 2002, Ed Skoudis and Predictive Systems
Non-Promiscuous Backdoor – Cd00r
Written by FX http://www.phenoelit.de/stuff/cd00r.c
Includes a non-promiscuous sniffer Gathers only packets destined for the single target
machine Several packets directed to specific ports
(where there is no listener) will trigger the backdoor Sniffer grabs packets, not a listener on the ports
Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports
© 2002, Ed Skoudis and Predictive Systems
Non-Promiscuous Backdoor – Cd00r in Action
The idea has been extended to eliminate even port 5002 Netcat can push back a command shell
from server, so no listener ever required Connection goes from server back to
client
ServerSYN to port X
Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, ZSYN to port Y
SYN to port Z
After Z is received, activate temporary listener on port 5002
Connection to root shell on port 5002
© 2002, Ed Skoudis and Predictive Systems
Promiscuous Backdoor
Can be used to help throw off an investigation
Attacker sends data for destination on same network
But the backdoor isn't located at the destination of the backdoor traffic Huh? How does that work?
© 2002, Ed Skoudis and Predictive Systems
Promiscuous Backdoor in Action
Backdoor is located on DNS server All packets sent to WWW server DNS server backdoor sniffs
promiscuously In switched environment, attacker may use
ARP cache poisoning
Confusing for investigators
FirewallFirewall
DNSDNS
WWWWWW
Internet
Sniffer listens for traffic destined forWWW server
© 2002, Ed Skoudis and Predictive Systems
Sniffing Backdoor Defenses
Prevent attacker from getting on system in the first place (of course)
Know which processes are supposed to be running on the system Especially if they have root privileges! Not easy, but very important Beware of stealthy names (like "UPS" or
"SCSI") Look for anomalous traffic Look for sniffers
© 2002, Ed Skoudis and Predictive Systems
Key Points
General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions
© 2002, Ed Skoudis and Predictive Systems
Here Come the Worms!
Compromising systems one-by-one can be such a chore
Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses
Worms automate the process Take over systems Scan for new vulnerable systems Self-replicate by moving across the network to
another vulnerable system Each instance of a worm is a “segment”
© 2002, Ed Skoudis and Predictive Systems
2001: Year of the Worm?
In 2001, we saw: Ramen L10n Cheese Sadmind/IIS Code Red and Code Red II Nimda
To date, worms haven’t been nearly as nasty as they could be
Most damage is a result of worm resource consumption
New generations of worms arrive every 2 to 6 months
© 2002, Ed Skoudis and Predictive Systems
Coming Soon - Super Worms
2002 could be even wormier Be on the lookout for very nasty new worms
Multi-functional Spread, steal, erase, etc.
Multi-platform Win, Linux, Solaris, BSD, AIX, HP-UX…
Multi-exploit Many buffer overflows, etc.
Zero-Day exploits Just discovered; no patch available
Polymorphic Metamorphic
We’ve seen many of these pieces, but no one has rolled them all together… yet!
© 2002, Ed Skoudis and Predictive Systems
Worm Defenses
Buffer overflow defenses help a lot here Rapidly deploy patches Anti-virus solutions
At the desktop… …AND at the mail server …AND at the file server
Incident response capabilities, linked with network management
© 2002, Ed Skoudis and Predictive Systems
Key Points
General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions
© 2002, Ed Skoudis and Predictive Systems
Conclusions
The attack tools continue to get better Attackers are getting stealthier every day But don't fret… we can work diligently to
keep up There's no such thing as 100% security Still, by preparing, we can get ready for
the bigguns'
© 2002, Ed Skoudis and Predictive Systems
References – Keeping Up
The web: www.securityfocus.com www.searchsecurity.com www.counterhack.net
Books: Hack Counter Hack CD-ROM, Skoudis, 2002 Counter Hack, Skoudis, 2001 Hacker's Challenge, Schiffman, 2001 Hacking Exposed, Kurtz, et al, 2001
© 2002, Ed Skoudis and Predictive Systems
"Crack the Hacker" Challenge
Win a key-chain USB Hard Drive!
http://searchwebmanagement.discussions.techtarget.com
Look for skoudis
Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/[email protected]^[email protected]/82!viewtype=threadDate&skip=&expand=