160 likes | 336 Views
Introduction Lab Content Conclusions Questions. How Hackers Cover Their Tracks ECE 4112 May 1st, 2007. Group 1 Chris Garyet Christopher Smith. Introduction. This lab presents techniques for hackers to cover their tracks
E N D
Introduction Lab Content Conclusions Questions How Hackers Cover Their Tracks ECE 4112May 1st, 2007 Group 1 Chris Garyet Christopher Smith
Introduction • This lab presents techniques for hackers to cover their tracks • Most experienced blackhats follow a series of steps to compromise a system • Probe network for weak links through proxy server • Use direct or indirect methods • Ensure system is not a honeypot • Disguise and hide mischievous software • Cover tracks by editing log files • With this knowledge a system administrator can easily discover the intrusion and attempt to trace the hacker Introduction Lab Content Conclusions Questions
Section 1: Proxies • Background • Hackers want to attack anonymously • Utilize SOCKS 4 or 5 Proxy Servers • Generally chained together and encrypted • Tor: http://tor.eff.org/index.html.en • Proxychains: http://proxychains.sourceforge.net/ • Lab layout • RedHat 7.2 communicating through RedHat WS 4 • Connect to Apache Webserver Introduction Lab Content Conclusions Questions
Section 1: Proxies • Exercise 1.1 (Simulates SOCKS proxy using SSH) • Create SSH tunnel: ssh –N –D 7001 57.35.6.x • Setup Netscape • Connect to Apache Webserver: 138.210.237.99 • NMAP thru proxy Introduction Lab Content Conclusions Questions
Section 2: HoneyPot Detection • Background • Honeypot system is a trap for malicious hackers • Two important types • Low-Interaction Honeyd • High-Interaction Honeynet • Most honeypots use VMware emulate multiple systems on one computer • Examine how to detect VMware is running on compromised machine Introduction Lab Content Conclusions Questions
Section 2: HoneyPot Detection • Website devoted to honeypot detection http://www.trapkit.de/tools/index.html • Scoopy_doo • Checks target machine register values against known VMware values • Runs in Linux and Windows • Jerry • Uses I/O backdoor in VMware binary • Examines value of register EAX Introduction Lab Content Conclusions Questions
Section 3: Hiding Files • Background • Once a system has been compromised the hacker must hide his presence • One way to do this is by hiding the files the hacker uses to exploit the target machine • Linux and Windows machines have different file systems and thus require different hiding mechanisms • Undeletable folders are another nuisance administrators face • http://archives.neohapsis.com/archives/sf/ms/2001-q2/att-1116/01-THE-END-OF-DELETERS-v2.1.txt Introduction Lab Content Conclusions Questions
Section 3: Hiding Files • Exercise 3.1 (Hiding Files in Linux) • Hide files with the “.” method • Hide files with ext2hide • http://e2fsprogs.sourceforge.net/ • http://sourceforge.net/projects/ext2hide/ Introduction Lab Content Conclusions Questions
Section 3: Hiding Files • Exercise 3.2 (Hiding Files in Windows) • Hide files with chmod properties • Hide files in the Alternate Data Stream in NTFS Introduction Lab Content Conclusions Questions
Section 4: Editing & Removing Log Files • Background • Log files can indicate a machine has been compromised • Can also give away “trade secrets” and lead to exploit patches Introduction Lab Content Conclusions Questions
Section 4: Editing & Removing Log Files • Editing logs in Linux • Linux logs can be modified with the proper tools • Syslogd is ASCII encoded and can be edited with any text editor • UTMP, WTMP, and LASTLOG need rootkit tool Introduction Lab Content Conclusions Questions
Section 4: Editing & Removing Log Files • Editing logs in Windows • Windows logs modified and cleared with the Event Viewer • Logs for application failures and security warnings including failed login attempts Introduction Lab Content Conclusions Questions
Section 5: Indirect and Passive Attacks • Background • An attacker always wants to attack through indirect machines • Hides the compromised machine and therefore the hacker’s whereabouts • HP JetDirect allows indirect launching of attacks Introduction Lab Content Conclusions Questions
Section 5: Indirect and Passive Attacks • Exercise 5.1 (HP JetDirect Exploitation) • HiJetter: http://www.phenoelit.de/hp/download.html • Store files and scripts • Create websites: *Printer IP*/hp/device/ • Run NMAP attacks through it Introduction Lab Content Conclusions Questions
Conclusion • Covering your tracks is key for effective hacking • Avoid Honeypots to reuse exploits and methods • Hiding files and changing log files effectively covers tracks • Running scans and attacks behind cover machines helps protect identity Introduction Lab Content Conclusions Questions
Questions ? Introduction Lab Content Conclusions Questions