1 / 16

How Hackers Cover Their Tracks ECE 4112 May 1st, 2007

Introduction Lab Content Conclusions Questions. How Hackers Cover Their Tracks ECE 4112 May 1st, 2007. Group 1 Chris Garyet Christopher Smith. Introduction. This lab presents techniques for hackers to cover their tracks

davisp
Download Presentation

How Hackers Cover Their Tracks ECE 4112 May 1st, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction Lab Content Conclusions Questions How Hackers Cover Their Tracks ECE 4112May 1st, 2007 Group 1 Chris Garyet Christopher Smith

  2. Introduction • This lab presents techniques for hackers to cover their tracks • Most experienced blackhats follow a series of steps to compromise a system • Probe network for weak links through proxy server • Use direct or indirect methods • Ensure system is not a honeypot • Disguise and hide mischievous software • Cover tracks by editing log files • With this knowledge a system administrator can easily discover the intrusion and attempt to trace the hacker Introduction Lab Content Conclusions Questions

  3. Section 1: Proxies • Background • Hackers want to attack anonymously • Utilize SOCKS 4 or 5 Proxy Servers • Generally chained together and encrypted • Tor: http://tor.eff.org/index.html.en • Proxychains: http://proxychains.sourceforge.net/ • Lab layout • RedHat 7.2 communicating through RedHat WS 4 • Connect to Apache Webserver Introduction Lab Content Conclusions Questions

  4. Section 1: Proxies • Exercise 1.1 (Simulates SOCKS proxy using SSH) • Create SSH tunnel: ssh –N –D 7001 57.35.6.x • Setup Netscape • Connect to Apache Webserver: 138.210.237.99 • NMAP thru proxy Introduction Lab Content Conclusions Questions

  5. Section 2: HoneyPot Detection • Background • Honeypot system is a trap for malicious hackers • Two important types • Low-Interaction Honeyd • High-Interaction Honeynet • Most honeypots use VMware emulate multiple systems on one computer • Examine how to detect VMware is running on compromised machine Introduction Lab Content Conclusions Questions

  6. Section 2: HoneyPot Detection • Website devoted to honeypot detection http://www.trapkit.de/tools/index.html • Scoopy_doo • Checks target machine register values against known VMware values • Runs in Linux and Windows • Jerry • Uses I/O backdoor in VMware binary • Examines value of register EAX Introduction Lab Content Conclusions Questions

  7. Section 3: Hiding Files • Background • Once a system has been compromised the hacker must hide his presence • One way to do this is by hiding the files the hacker uses to exploit the target machine • Linux and Windows machines have different file systems and thus require different hiding mechanisms • Undeletable folders are another nuisance administrators face • http://archives.neohapsis.com/archives/sf/ms/2001-q2/att-1116/01-THE-END-OF-DELETERS-v2.1.txt Introduction Lab Content Conclusions Questions

  8. Section 3: Hiding Files • Exercise 3.1 (Hiding Files in Linux) • Hide files with the “.” method • Hide files with ext2hide • http://e2fsprogs.sourceforge.net/ • http://sourceforge.net/projects/ext2hide/ Introduction Lab Content Conclusions Questions

  9. Section 3: Hiding Files • Exercise 3.2 (Hiding Files in Windows) • Hide files with chmod properties • Hide files in the Alternate Data Stream in NTFS Introduction Lab Content Conclusions Questions

  10. Section 4: Editing & Removing Log Files • Background • Log files can indicate a machine has been compromised • Can also give away “trade secrets” and lead to exploit patches Introduction Lab Content Conclusions Questions

  11. Section 4: Editing & Removing Log Files • Editing logs in Linux • Linux logs can be modified with the proper tools • Syslogd is ASCII encoded and can be edited with any text editor • UTMP, WTMP, and LASTLOG need rootkit tool Introduction Lab Content Conclusions Questions

  12. Section 4: Editing & Removing Log Files • Editing logs in Windows • Windows logs modified and cleared with the Event Viewer • Logs for application failures and security warnings including failed login attempts Introduction Lab Content Conclusions Questions

  13. Section 5: Indirect and Passive Attacks • Background • An attacker always wants to attack through indirect machines • Hides the compromised machine and therefore the hacker’s whereabouts • HP JetDirect allows indirect launching of attacks Introduction Lab Content Conclusions Questions

  14. Section 5: Indirect and Passive Attacks • Exercise 5.1 (HP JetDirect Exploitation) • HiJetter: http://www.phenoelit.de/hp/download.html • Store files and scripts • Create websites: *Printer IP*/hp/device/ • Run NMAP attacks through it Introduction Lab Content Conclusions Questions

  15. Conclusion • Covering your tracks is key for effective hacking • Avoid Honeypots to reuse exploits and methods • Hiding files and changing log files effectively covers tracks • Running scans and attacks behind cover machines helps protect identity Introduction Lab Content Conclusions Questions

  16. Questions ? Introduction Lab Content Conclusions Questions

More Related