1 / 15

CIS 450 – Network Security

CIS 450 – Network Security. Chapter 16 – Covering the Tracks. Hacker’s Perspective http://www.thc.org/papers/COVER-1.TXT

tale
Download Presentation

CIS 450 – Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIS 450 – Network Security Chapter 16 – Covering the Tracks

  2. Hacker’s Perspective • http://www.thc.org/papers/COVER-1.TXT • Backdoor – a way for an attacker to get back into a network or system without being detected. Attacker wants to maintain his access by hiding the fact that he was ever there.

  3. Four areas that an attacker is concerned with when covering their tracks: • Log files – audit trails that list who gained access, and for how long (and possibly what they did and what files they accessed) • File Information – since attackers normally have to modify key system files information for these files (date and file size) tend to change • Additional Files – attacker usually loads additional files to the system which could take a large amount of space • Network traffic – if IDS is utilized attacker has to search and eliminate the IDS records or mask his traffic to appear to be normal network traffic

  4. Log Files • Provide a listing of exactly what is done on the system and by whom • Logging has to be turned and checked • Attacker can delete the entire log file but this will set off a red flag to the administrator • Attacker can edit the log files and delete the entries to what the attacker did

  5. Linux Log Files • /etc/syslog.conf – main configuration file for the syslogd daemon that controls logging on • /var/run/utmp • Tracks who is currently logged into the system • Entry is added when user logs in and removed when user logs out • Binary file that can not be accessed directly but by common programs than come with OS: who; users; and finger

  6. Linux Log Files • /var/log/wtmp • Tracks all users who have logged in and have logged out of system. Can be created manually if not created by login. • Entry is added when user logs in and updated when user logs out • The file can grow rapidly on busy systems, so daily or weekly rotation is recommended • Binary file that can be accessed by the programs last and ac • /var/log/btmp • Records bad log on attempts • Can be created manually if not created by login • Should combine the results with those from wtmp to see if an attacker gained access after a failed attempt • Binary file that can be accessed by the lastb program

  7. Linux Log Files • /var/log/messages • Syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical and can be configured to put most of the messages the file /var/log/messages • File is ASCII text and be looked at with the more, cat, and grep commands • /var/log/secure • Used to log any attempts to log in as root and attempts to use the su command. This file also contains information on attempts to connect from remote systems and failed attempts to log in as root. • File is ASCII text and be looked at with the more, cat, and grep commands

  8. Programs Available to Clean Up Log Files • Available from: • http://www.packetstormsecurity.org/unix-exploits/log-tools/ • http://www.dsinet.org/tools/logutils/

  9. Protecting UNIX Log Files • Set proper permissions on log files – read and write access should be limited to root • Use a separate server • Store your log files on a separate server • Use Honey Pots • Honey pots are one of the newest methods used in intrusion detection. • The idea behind a honey pot is to setup a "decoy" system that has a non-hardened operating system or one that appears to have several vulnerabilities for easy access to its resources. • The decoy system should be set up in a similar manner to those of the production servers in the corporation and should be loaded with numerous fake files, directories, and other information that may look real. • By making the honey pot appear to be a legitimate machine with legitimate files, it leads the hacker to believe that they have gained access to important information • Make regular backups of the log files – backup to several places across the network and some on removable media • Use write once media • Encrypt the log files • Review the log files on a regular basis

  10. System 2000 Logging • http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/03w2kadb.mspx

  11. File Information • When attacker puts in backdoor he has to modify some key system files • If file came with the base OS then it should not be modified in the course of using the system – check modified date • Some rootkits have utilities built in to modify file information • Protection Against • Create cryptographic hash on file - tripwire

  12. Additional Files • Attacker uploads tool to victim’s site so he has access to them when needed • Attacker tries to hide the fact that additional files have been added by: • Set the hidden attribute for a file • Rename the files • Create hidden partitions or shares • Modify the free space utility

  13. Additional Files • Use steganography tools • The art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images. • http://www.stegoarchive.com/ • THC Steganographic Challenge

  14. Additional Files • Protection Against – Know what’s on your system • Run software such as Tripwire

  15. Covering Tracks on the Network • Attacker will either try to hide their traffic or make it look like other traffic on the network • Loki • http://www.phrack.org/show.php?p=49&a=6 • http://windowsecurity.com/pages/article_p.asp?id=688 • Reverse WWW Shell • Malicious code attacks via HTTP • http://www.thc.org/papers/fw-backd.htm • Covert TCP • http://www.securityfocus.net/tools/1475

More Related