The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems...

The New Breed of Hacker Tools & Techniques

Ed SkoudisVP, Security StrategyPredictive [email protected]

© 2002, Ed Skoudis and Predictive Systems

"Crack the Hacker" Challenge

Win a key-chain USB Hard Drive!

http://searchwebmanagement.discussions.techtarget.com

Look for skoudis

Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/[email protected]^[email protected]/82!viewtype=threadDate&skip=&expand=

http://searchwebmanagement.discussions.techtarget.com/

http://searchwebmanagement.discussions.techtarget.com/


Key Points

General Trends War Driving Polymorphic Buffer Overflow Hidden Backdoors Super Worms Conclusions


General Trends

The rise of anti-disclosure Full-disclosure has its problems—tell everyone everything Anti-disclosure has a whole new set of problems Famous Microsoft letter on Information Anarchy Driving some things under ground

Kiddies don't have everything… …but what is lurking out there?

Hacktivism In times of war, attackers can make a political point

Attacks targeting end-user systems on high-bandwidth connections (DSL and Cable Modem)

A focus on tools getting more stealthy Hiding has tremendous benefits for an attacker


Key Points



Wireless Attacks

Wireless technology is getting much cheaper Base stations for less than $200, with

wireless cards under $100 IEEE 802.11b standard very popular Employees setting up their own access points so

they can roam around the halls Very dangerous!

War driving With a laptop and wireless card, an attacker can

drive down the street and join many wireless LANs!


Wireless Misconfigurations

Many wireless access points (a.k.a. base stations) are configured with no security

In some installations, users think SSIDs are passwords They are not! Blank or default SSIDs are common

Access points often respond to broadcast requests asking for the SSID

SSIDs are sent in clear text and can be sniffed


NetStumbler - Premier Tool for War Driving

NetStumbler, by Marius Milner http://www.netstumbler.com Windows-based (95, 98, ME, 2000, XP)

And PocketPC (Mini Stumbler)… but not NT


Other Tools For War Driving

Wi-scan (Perl script) http://www.dis.org/wl/ Ties in geography (using GPS) with SSID

Airsnort http://airsnort.sourceforge.net/ Cracks WEP keys Runs on Linux, requires Prism2 chipset

(Linksys), and needs ~500 Meg of data Airopeek

www.wildpackets.com/products/airopeek Commercial

http://www.dis.org/wl/


War Driving Defenses

Set SSID to difficult-to-guess value Can still be broadcasted, sniffed, or brute forced Not at all effective!!

MAC address filtering at access point Wireless card MAC addresses can be spoofed

Dsniff supports this Set WEP keys, and rotate them periodically

Remember, WEP can be cracked Best Defense - Use Virtual Private Network

All data from end system through wireless device to VPN gateway encrypted and authenticated

Establish policy for these items Check out www.counterhack.net for examples

http://www.counterhack.net/


Key Points



What is a Buffer Overflow?

Seminal paper on this technique by Aleph One titled “Smashing the Stack for Fun and Profit”

Allows an attacker to execute arbitrary commands on your machine

Take over system or escalate privileges Get root or admin privileges

Based on putting too much information into undersized receptacles Caused by not having proper bounds checking

in software


A Normal Stack

Programs call their subroutines, allocating memory space for function variables on the stack

The stack is like a scratchpad for storing little items to remember

The stack is LIFO The return pointer (RP)

contains the address of the original function, so execution can return there when function call is doneTop of

Memory

Bottom ofMemory

Function CallArguments

Return Pointer

Buffer 1(Local Variable 1)


...

... FillDirection

Normal Stack


Smashing The Stack

User data is written into the allocated buffer by the function

If the data size is not checked, return pointer can be overwritten by user data

Attacker places exploit machine code in the buffer and overwrites the return pointer

When function returns, attacker’s code is executed

Top ofMemory

Bottom ofMemory


New Pointer toexec code

Machine Code:execve(/bin/sh)


...

...

Smashed Stack

Buffer 1 Space is overwritten

FillDirection

Return Pointeris overwritten


Improving the Odds that the Return Pointer Will be OK

Include NOPs in advance of the executable code

Then, if your pointer goes to the NOPs, nothing will happen

Execution will continue down the stack until it gets to your exploit

NOPs can be used to detect these exploits on the network

Many ways to do a NOP

Smashed Stack

Top ofMemory


New Pointer toexec code

NOPNOPNOPNOPNOP


...

Buffer 1 Space is overwritten

Return Pointeris overwritten


Polymorphic Buffer Overflow

In April, 2001, ADMutate released by K2 http://www.ktwo.ca/security.html

ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploit Using techniques borrowed from virus writers

Works on Intel, Sparc, and HPPA processors

Targets Linux, Solaris, IRIX, HPUX, OpenBSD, UnixWare, OpenServer, TRU64, NetBSD, and FreeBSD

http://www.ktwo.ca/security.html


How ADMutate Works

We want functionally equivalent code, but with a different appearance "How are you?" vs. "How ya doin'?" vs.

"What's up?"

Exploit consists of 3 elements NOPs Exec a shell code Return address

Pointer toexec stack code

NOPNOPNOPNOPNOP



Mutation Engine

ADMutate alters each of these elements NOP substitution with operationally inert commands Shell code encoded by XORing with a randomly

generated key Return address modulated – least significant byte

altered to jump into different parts of NOPs

Modulated Pointer toNOP Substitutes

NOP substituteAnother NOP

Yet another NOPA different NOP

Here's a NOP

XOR'ed Machine Code:execve(/bin/sh)


What About Decoding?

That’s nice, but how do you decode the XOR'ed shell code? You can't just run it, because it is gibberish

until it's decoded So, add some commands that will decode it Can’t the decoder be detected by IDS?

The decoder is created using random elements Several different components of decoder

(e.g., 1,2,3,4,5,6,7) Various decoder components can be

interchanged (e.g., 2-3 or 3-2) Each component can be made up of

different machine language commands The decoder itself is polymorphic

Modulated Pointer toNOP Substitutes

NOP substituteAnother NOP

Yet another NOPA different NOP

Here's a NOP

XOR'ed Machine Code:execve(/bin/sh)

PolymorphicXOR Decoder


ADMutate – Customizability!

New version allows attacker to apply different weights to generated ASCII equivalents of machine language code Allows attacker to tweak the statistical

distribution of resulting characters Makes traffic look more like “standard” for a

given protocol, from a statistical perspective Example: more heavily weight characters

"<" and ">" in HTTP Narrows the universe of equivalent

polymorphs, but still very powerful!


ADMutate Defenses

Defend against buffer overflows Apply patches – defined process Non-executable system stacks

Solaris – OS Setting Linux – www.openwall.com NT/2000 – SecureStack from

www.securewave.com Code Review – educate developers

Detection: IDS vendors at work on this capability now Snort release in Feb 2002

Looks for variations of NOP sled

http://www.openwall.com/

http://www.securewave.com/


Key Points



Hidden Backdoors

Attacker takes over your system and installs a backdoor to ensure future access Backdoor listens, giving shell access

How do you find a backdoor listener?

Sometimes, they are discovered by noticing a listening port Nmap port scan across the network Running "netstat –na" locally Running lsof (UNIX) or Inzider

(Windows)

Network

Backdoorlistenson portABC


Sniffing Backdoors

Who says a backdoor has to wait listening on a port?

Attackers don't want to get caught They are increasingly using stealthy backdoors

A sniffer can gather the traffic, rather than listening on an open port Non-promiscuous sniffing backdoors

Grab traffic just for one host Promiscuous sniffing backdoors

Grab all traffic on the LAN


Non-Promiscuous Backdoor – Cd00r

Written by FX http://www.phenoelit.de/stuff/cd00r.c

Includes a non-promiscuous sniffer Gathers only packets destined for the single target

machine Several packets directed to specific ports

(where there is no listener) will trigger the backdoor Sniffer grabs packets, not a listener on the ports

Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports

http://www.phenoelit.de/stuff/cd00r.c




Non-Promiscuous Backdoor – Cd00r in Action

The idea has been extended to eliminate even port 5002 Netcat can push back a command shell

from server, so no listener ever required Connection goes from server back to

client

ServerSYN to port X

Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, ZSYN to port Y

SYN to port Z

After Z is received, activate temporary listener on port 5002

Connection to root shell on port 5002


Promiscuous Backdoor

Can be used to help throw off an investigation

Attacker sends data for destination on same network

But the backdoor isn't located at the destination of the backdoor traffic Huh? How does that work?


Promiscuous Backdoor in Action

Backdoor is located on DNS server All packets sent to WWW server DNS server backdoor sniffs

promiscuously In switched environment, attacker may use

ARP cache poisoning

Confusing for investigators

FirewallFirewall

DNSDNS

WWWWWW

Internet

Sniffer listens for traffic destined forWWW server


Sniffing Backdoor Defenses

Prevent attacker from getting on system in the first place (of course)

Know which processes are supposed to be running on the system Especially if they have root privileges! Not easy, but very important Beware of stealthy names (like "UPS" or

"SCSI") Look for anomalous traffic Look for sniffers


Key Points



Here Come the Worms!

Compromising systems one-by-one can be such a chore

Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses

Worms automate the process Take over systems Scan for new vulnerable systems Self-replicate by moving across the network to

another vulnerable system Each instance of a worm is a “segment”


2001: Year of the Worm?

In 2001, we saw: Ramen L10n Cheese Sadmind/IIS Code Red and Code Red II Nimda

To date, worms haven’t been nearly as nasty as they could be

Most damage is a result of worm resource consumption

New generations of worms arrive every 2 to 6 months


Coming Soon - Super Worms

2002 could be even wormier Be on the lookout for very nasty new worms

Multi-functional Spread, steal, erase, etc.

Multi-platform Win, Linux, Solaris, BSD, AIX, HP-UX…

Multi-exploit Many buffer overflows, etc.

Zero-Day exploits Just discovered; no patch available

Polymorphic Metamorphic

We’ve seen many of these pieces, but no one has rolled them all together… yet!


Worm Defenses

Buffer overflow defenses help a lot here Rapidly deploy patches Anti-virus solutions

At the desktop… …AND at the mail server …AND at the file server

Incident response capabilities, linked with network management


Key Points



Conclusions

The attack tools continue to get better Attackers are getting stealthier every day But don't fret… we can work diligently to

keep up There's no such thing as 100% security Still, by preparing, we can get ready for

the bigguns'


References – Keeping Up

The web: www.securityfocus.com www.searchsecurity.com www.counterhack.net

Books: Hack Counter Hack CD-ROM, Skoudis, 2002 Counter Hack, Skoudis, 2001 Hacker's Challenge, Schiffman, 2001 Hacking Exposed, Kurtz, et al, 2001

http://www.securityfocus.com/

http://www.counterhack.net/

http://www.counterhack.net/bigbook.jpg

http://www.amazon.com/exec/obidos/tg/stores/detail/-/books/013047729X/reader/2/102-8144474-8096939


"Crack the Hacker" Challenge

Win a key-chain USB Hard Drive!

http://searchwebmanagement.discussions.techtarget.com

Look for skoudis

Or, Just go to: http://searchwebmanagement.discussions.techtarget.com/[email protected]^[email protected]/82!viewtype=threadDate&skip=&expand=

The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems...

Documents

Transcript of The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems...