1 / 38

The New Breed of Hacker Tools & Techniques

The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems ed.skoudis@predictive.com "Crack the Hacker" Challenge Win a key-chain USB Hard Drive! http://searchwebmanagement.discussions.techtarget.com Look for skoudis

emily
Download Presentation

The New Breed of Hacker Tools & Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems ed.skoudis@predictive.com

  2. "Crack the Hacker" Challenge • Win a key-chain USB Hard Drive! • http://searchwebmanagement.discussions.techtarget.com • Look for skoudis • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContext@239.9Tybafylj90^4@.ee84438/82!viewtype=threadDate&skip=&expand= © 2002, Ed Skoudis and Predictive Systems

  3. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  4. General Trends • The rise of anti-disclosure • Full-disclosure has its problems—tell everyone everything • Anti-disclosure has a whole new set of problems • Famous Microsoft letter on Information Anarchy • Driving some things under ground • Kiddies don't have everything… • …but what is lurking out there? • Hacktivism • In times of war, attackers can make a political point • Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem) • A focus on tools getting more stealthy • Hiding has tremendous benefits for an attacker © 2002, Ed Skoudis and Predictive Systems

  5. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  6. Wireless Attacks • Wireless technology is getting much cheaper • Base stations for less than $200, with wireless cards under $100 • IEEE 802.11b standard very popular • Employees setting up their own access points so they can roam around the halls • Very dangerous! • War driving • With a laptop and wireless card, an attacker can drive down the street and join many wireless LANs! © 2002, Ed Skoudis and Predictive Systems

  7. Wireless Misconfigurations • Many wireless access points (a.k.a. base stations) are configured with no security • In some installations, users think SSIDs are passwords • They are not! • Blank or default SSIDs are common • Access points often respond to broadcast requests asking for the SSID • SSIDs are sent in clear text and can be sniffed © 2002, Ed Skoudis and Predictive Systems

  8. NetStumbler - Premier Tool for War Driving • NetStumbler, by Marius Milner • http://www.netstumbler.com • Windows-based (95, 98, ME, 2000, XP) • And PocketPC (Mini Stumbler)… but not NT © 2002, Ed Skoudis and Predictive Systems

  9. Other Tools For War Driving • Wi-scan (Perl script) • http://www.dis.org/wl/ • Ties in geography (using GPS) with SSID • Airsnort • http://airsnort.sourceforge.net/ • Cracks WEP keys • Runs on Linux, requires Prism2 chipset (Linksys), and needs ~500 Meg of data • Airopeek • www.wildpackets.com/products/airopeek • Commercial © 2002, Ed Skoudis and Predictive Systems

  10. War Driving Defenses • Set SSID to difficult-to-guess value • Can still be broadcasted, sniffed, or brute forced • Not at all effective!! • MAC address filtering at access point • Wireless card MAC addresses can be spoofed • Dsniff supports this • Set WEP keys, and rotate them periodically • Remember, WEP can be cracked • Best Defense - Use Virtual Private Network • All data from end system through wireless device to VPN gateway encrypted and authenticated • Establish policy for these items • Check out www.counterhack.net for examples © 2002, Ed Skoudis and Predictive Systems

  11. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  12. What is a Buffer Overflow? • Seminal paper on this technique by Aleph One titled “Smashing the Stack for Fun and Profit” • Allows an attacker to execute arbitrary commands on your machine • Take over system or escalate privileges • Get root or admin privileges • Based on putting too much information into undersized receptacles • Caused by not having proper bounds checking in software © 2002, Ed Skoudis and Predictive Systems

  13. A Normal Stack Bottom of Memory . . . • Programs call their subroutines, allocating memory space for function variables on the stack • The stack is like a scratchpad for storing little items to remember • The stack is LIFO • The return pointer (RP) contains the address of the original function, so execution can return there when function call is done Fill Direction Buffer 2 (Local Variable 2) Buffer 1 (Local Variable 1) Return Pointer Function Call Arguments . . . Top of Memory Normal Stack © 2002, Ed Skoudis and Predictive Systems

  14. Smashing The Stack Bottom of Memory • User data is written into the allocated buffer by the function • If the data size is not checked, return pointer can be overwritten by user data • Attacker places exploit machine code in the buffer and overwrites the return pointer • When function returns, attacker’s code is executed . . . Fill Direction Buffer 2 (Local Variable 2) Machine Code: execve(/bin/sh) Buffer 1 Space is overwritten Return Pointer is overwritten New Pointer to exec code Function Call Arguments . . . Top of Memory Smashed Stack © 2002, Ed Skoudis and Predictive Systems

  15. Improving the Odds that the Return Pointer Will be OK • Include NOPs in advance of the executable code • Then, if your pointer goes to the NOPs, nothing will happen • Execution will continue down the stack until it gets to your exploit • NOPs can be used to detect these exploits on the network • Many ways to do a NOP NOP NOP NOP NOP NOP Machine Code: execve(/bin/sh) Buffer 1 Space is overwritten Return Pointer is overwritten New Pointer to exec code Function Call Arguments . . . Top of Memory Smashed Stack © 2002, Ed Skoudis and Predictive Systems

  16. Polymorphic Buffer Overflow • In April, 2001, ADMutate released by K2 • http://www.ktwo.ca/security.html • ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit • Using techniques borrowed from virus writers • Works on Intel, Sparc, and HPPA processors • Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD © 2002, Ed Skoudis and Predictive Systems

  17. How ADMutate Works • We want functionally equivalent code, but with a different appearance • "How are you?" vs. "How ya doin'?" vs. "What's up?" • Exploit consists of 3 elements • NOPs • Exec a shell code • Return address NOP NOP NOP NOP NOP Machine Code: execve(/bin/sh) Pointer to exec stack code © 2002, Ed Skoudis and Predictive Systems

  18. Mutation Engine • ADMutate alters each of these elements • NOP substitution with operationally inert commands • Shell code encoded by XORing with a randomly generated key • Return address modulated – least significant byte altered to jump into different parts of NOPs NOP substitute Another NOP Yet another NOP A different NOP Here's a NOP XOR'ed Machine Code: execve(/bin/sh) Modulated Pointer to NOP Substitutes © 2002, Ed Skoudis and Predictive Systems

  19. What About Decoding? • That’s nice, but how do you decode the XOR'ed shell code? • You can't just run it, because it is gibberish until it's decoded • So, add some commands that will decode it • Can’t the decoder be detected by IDS? • The decoder is created using random elements • Several different components of decoder (e.g., 1,2,3,4,5,6,7) • Various decoder components can be interchanged (e.g., 2-3 or 3-2) • Each component can be made up of different machine language commands • The decoder itself is polymorphic NOP substitute Another NOP Yet another NOP A different NOP Here's a NOP Polymorphic XOR Decoder XOR'ed Machine Code: execve(/bin/sh) Modulated Pointer to NOP Substitutes © 2002, Ed Skoudis and Predictive Systems

  20. ADMutate – Customizability! • New version allows attacker to apply different weights to generated ASCII equivalents of machine language code • Allows attacker to tweak the statistical distribution of resulting characters • Makes traffic look more like “standard” for a given protocol, from a statistical perspective • Example: more heavily weight characters "<" and ">" in HTTP • Narrows the universe of equivalent polymorphs, but still very powerful! © 2002, Ed Skoudis and Predictive Systems

  21. ADMutate Defenses • Defend against buffer overflows • Apply patches – defined process • Non-executable system stacks • Solaris – OS Setting • Linux – www.openwall.com • NT/2000 – SecureStack from www.securewave.com • Code Review – educate developers • Detection: IDS vendors at work on this capability now • Snort release in Feb 2002 • Looks for variations of NOP sled © 2002, Ed Skoudis and Predictive Systems

  22. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  23. Hidden Backdoors Backdoor listens on port ABC • Attacker takes over your system and installs a backdoor to ensure future access • Backdoor listens, giving shell access • How do you find a backdoor listener? • Sometimes, they are discovered by noticing a listening port • Nmap port scan across the network • Running "netstat –na" locally • Running lsof (UNIX) or Inzider (Windows) Network © 2002, Ed Skoudis and Predictive Systems

  24. Sniffing Backdoors • Who says a backdoor has to wait listening on a port? • Attackers don't want to get caught • They are increasingly using stealthy backdoors • A sniffer can gather the traffic, rather than listening on an open port • Non-promiscuous sniffing backdoors • Grab traffic just for one host • Promiscuous sniffing backdoors • Grab all traffic on the LAN © 2002, Ed Skoudis and Predictive Systems

  25. Non-Promiscuous Backdoor – Cd00r • Written by FX • http://www.phenoelit.de/stuff/cd00r.c • Includes a non-promiscuous sniffer • Gathers only packets destined for the single target machine • Several packets directed to specific ports (where there is no listener) will trigger the backdoor • Sniffer grabs packets, not a listener on the ports • Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports © 2002, Ed Skoudis and Predictive Systems

  26. Non-Promiscuous Backdoor – Cd00r in Action Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z • The idea has been extended to eliminate even port 5002 • Netcat can push back a command shell from server, so no listener ever required • Connection goes from server back to client Server SYN to port X SYN to port Y SYN to port Z After Z is received, activate temporary listener on port 5002 Connection to root shell on port 5002 © 2002, Ed Skoudis and Predictive Systems

  27. Promiscuous Backdoor • Can be used to help throw off an investigation • Attacker sends data for destination on same network • But the backdoor isn't located at the destination of the backdoor traffic • Huh? How does that work? © 2002, Ed Skoudis and Predictive Systems

  28. Promiscuous Backdoor in Action Firewall WWW DNS Sniffer listens for traffic destined for WWW server • Backdoor is located on DNS server • All packets sent to WWW server • DNS server backdoor sniffs promiscuously • In switched environment, attacker may use ARP cache poisoning • Confusing for investigators Internet © 2002, Ed Skoudis and Predictive Systems

  29. Sniffing Backdoor Defenses • Prevent attacker from getting on system in the first place (of course) • Know which processes are supposed to be running on the system • Especially if they have root privileges! • Not easy, but very important • Beware of stealthy names (like "UPS" or "SCSI") • Look for anomalous traffic • Look for sniffers © 2002, Ed Skoudis and Predictive Systems

  30. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  31. Here Come the Worms! • Compromising systems one-by-one can be such a chore • Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses • Worms automate the process • Take over systems • Scan for new vulnerable systems • Self-replicate by moving across the network to another vulnerable system • Each instance of a worm is a “segment” © 2002, Ed Skoudis and Predictive Systems

  32. 2001: Year of the Worm? • In 2001, we saw: • Ramen • L10n • Cheese • Sadmind/IIS • Code Red and Code Red II • Nimda • To date, worms haven’t been nearly as nasty as they could be • Most damage is a result of worm resource consumption • New generations of worms arrive every 2 to 6 months © 2002, Ed Skoudis and Predictive Systems

  33. Coming Soon - Super Worms • 2002 could be even wormier • Be on the lookout for very nasty new worms • Multi-functional • Spread, steal, erase, etc. • Multi-platform • Win, Linux, Solaris, BSD, AIX, HP-UX… • Multi-exploit • Many buffer overflows, etc. • Zero-Day exploits • Just discovered; no patch available • Polymorphic • Metamorphic • We’ve seen many of these pieces, but no one has rolled them all together… yet! © 2002, Ed Skoudis and Predictive Systems

  34. Worm Defenses • Buffer overflow defenses help a lot here • Rapidly deploy patches • Anti-virus solutions • At the desktop… • …AND at the mail server • …AND at the file server • Incident response capabilities, linked with network management © 2002, Ed Skoudis and Predictive Systems

  35. Key Points • General Trends • War Driving • Polymorphic Buffer Overflow • Hidden Backdoors • Super Worms • Conclusions © 2002, Ed Skoudis and Predictive Systems

  36. Conclusions • The attack tools continue to get better • Attackers are getting stealthier every day • But don't fret… we can work diligently to keep up • There's no such thing as 100% security • Still, by preparing, we can get ready for the bigguns' © 2002, Ed Skoudis and Predictive Systems

  37. References – Keeping Up • The web: • www.securityfocus.com • www.searchsecurity.com • www.counterhack.net • Books: • Hack Counter Hack CD-ROM, Skoudis, 2002 • Counter Hack, Skoudis, 2001 • Hacker's Challenge, Schiffman, 2001 • Hacking Exposed, Kurtz, et al, 2001 © 2002, Ed Skoudis and Predictive Systems

  38. "Crack the Hacker" Challenge • Win a key-chain USB Hard Drive! • http://searchwebmanagement.discussions.techtarget.com • Look for skoudis • Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/WebX?msgInContext@239.9Tybafylj90^4@.ee84438/82!viewtype=threadDate&skip=&expand= © 2002, Ed Skoudis and Predictive Systems

More Related