Upload
allan-wilkerson
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Ed Skoudis
June 6, 2005
Seminar Series
©2005 Ed Skoudis
A Quote from One of History’s Greatest Hackers
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.
—Sun Tzu, The Art of War
©2005 Ed Skoudis
Presentation Outline
Purpose & General Trends
Step 1: Reconnaissance
Step 2: Scanning
Step 3: Gaining Access
Step 4: Maintaining Access
Step 5: Covering the Tracks
Conclusions
The Defiler’s Toolkit
The Defiler’s Toolkit attempt to confuse forensics investigations
First public anti-forensic tool Developed by “The Grugq” Targeted specifically to counter The Coroner’s Toolkit and
only extensively tested for ext2/3 file systems. Six Components
KY FS – Stores data in superblocks / directory structures Warren FS – Stores data in the ext3 journal file Data Mule FS – Stores data in inode reserved space Rune FS – Stores data in Bad Blocks Necrofile Klismafile
©2005 Ed Skoudis
©2005 Ed Skoudis
Defiler’s Toolkit
Data hiding Bad blocks inode points to blocks that don’t function properly Attacker associates good blocks with the bad block inode and
stores data there Carve out a segment of your hard drive and label it “bad” Drive appears smaller, but TCT won’t look in the bad blocks
Data destruction with Necrofile Undelete tools remove just the data, not the meta-data
(inodes and directory entries) Necrofile – scrubs inodes clean, based on deletion time
criteria Data destruction with Klismafile
Directory entries show deleted filenames and sizes Klismafile searches for these entries and scrubs them
Metasploit Anti-Forensic Investigation Arsenal (MAFIA)
Developed by Vinnie Liu and distributed with Metasploit 2.2
Windows Specific with Four Components TimeStomp: MAC Time modification tool Slacker: Tool to hide data in slack space SAM Juicer: Password file extractor Transmogrify: File Signature Modifier
SAM Juicer was renamed PWDump and integrated into Metasploit 3 with TimeStomp
Slacker and Transmogrify were never reliable and discontinued. Transmogrify was never released.
©2005 Ed Skoudis
Meterpreter
Central component in the Metasploit Framework Serves as a payload injected by any of a number of
exploits Opens a covert communication channel with shell
command capabilities Resides exclusively in memory with no residue…
©2005 Ed Skoudis
Anti-Forensic Tools…
Techniques
CANVAS
DECAF – direct response to COFFEE Microsoft and the US Department of Justice have stated
intention to prosecute anyone found to be in unauthorized possession of DECAF
SecurityWizard List
©2005 Ed Skoudis
©2005 Ed Skoudis
Forensics
The Coroner’s Toolkit is very popular, along with its descendent, “The Sleuth Kit” (www.sleuthkit.org) The Coroner’s Toolkit, as cool as it was, is a bit outdated
Turn toward a more recent descendant of TCT, “The Sleuth Kit” to get a better look at forensics data
Use the Autopsy Forensic Browser GUI… In investigations, don’t forget to look in blocks marked
bad! There could be some very useful data hidden in there
Dead vs. Live analysis modes
©2005 Ed Skoudis
Conclusions
Remember good ol’ Sun Tzu Attackers keep improving their capabilities and tools Don’t get discouraged We must keep up with them
Understand their techniques Deploy, maintain, and update effective defenses
Consider it an intellectual challenge… with job security Just remember… It is the Golden Age By remaining diligent, we can secure our systems!