Malware and Hacker Bootcamp by steve_austin

Malware and Hacking Boot Camp

V 1.2 November 2007

Overview and Welcome • Welcome – Sponsor Introductions – Instructor Introductions – Student Introductions

Overview and Welcome • Materials Overview – Lab booklets – Lab and Reference CD – Software Protection Devices – Software Download Instructions – Software Update Information

FTP Software Download Instructions

• Web Browser • Direct Link: ftp://username:password @gargoyleupdates.wetstonetech.com • 3rd Party FTP Client • Address: ftp://gargoyleupdates.wetstonetech.com • Username: Provided by WetStone • Password: Provided by WetStone Copyright 2003-2007 WetStone Technologies, Inc. All Rights Reserved

Objectives • Course Objectives – Provide students with • A fundamental understanding of hacking methods, techniques and tools • A hands on experience where by the students can learn and practice hacking in a safe environment • A broad knowledge of hacking, cyber weapon and malicious code usage by criminals, terrorists and hackers • With a solid understanding on how to use and apply WetStone’s Gargoyle product to investigating malicious code and hacking • Test the students capability and certify them in malicious code investigation

Agenda • Day One – AM : Overview Lecture – PM : LAB 1-10

• Day Two – LAB 1-10 Completion

• Day Three – AM LAB 11-14 – PM LAB 15-20

• Day Four – AM LAB 15-20 Completion – PM Written Exam

Introduction

The Threat Hacking and Cyber Weapons In contrast with conventional, nuclear or biological weapons, the raw materials necessary to create advanced cyber weapons are 1â&#x20AC;&#x2122;s and 0â&#x20AC;&#x2122;s. The weapons and hacking techniques are today being shared freely, anonymously and instantly via the Internet and they are advancing

Hacking and Cyber Attacks Hacking and cyber attacks typically require no physical access to the target or targets, significant skill, or specialized capability. The attack can strike from anywhere and at anytime.

Hacking Effects The effects caused by these cyber weapons can be both swift and significant. Virtually no laws exist to control the production, sale or trade of these weapons, and our ability to prosecute those that launch them has proven to be difficult

Hacking and Cyber Attacks

â&#x20AC;&#x153;Any method or technique, when used by individuals, organizations or countries to perpetrate criminal, terrorist or unethical actions, or to cover-up such activitiesâ&#x20AC;?2

Source Hosmer 2003

Methods and Technologies

Methods and Technologies • Discovery – Computers, Network Equipment

• Penetration Testing – Search for exploits, services FTP etc, telnet

• Box Access – Physical, Remote

• Malicious Code – Trojan, Keylogger, Anti Forensics

Network Discovery Overview Software that performs scanning of network infrastructure in order to obtain reconnaissance data that will ultimately aid in hacking.

Characteristics • Active and Passive Collection • Port Scanning • System Identification • Dark Space Identification

Investigation Methods • Search for Discovery Software • Search for reconnaissance data • Search for network sniffers

Penetration Testing Overview Hardware and Software that provides manual or automated assessment of network infrastructure and server security readiness. Typically this testing is accomplished by simulating attacks against the network and/or computers.

Characteristics • Software and Hardware • Manual and automated Hacking • Cracking tools

Investigation Methods • Search for hacking Software • Search for cracking Software • Search for collected vulnerability data • Search for specific software development tools Source: Google Images Copyright 2003-2007 WetStone Technologies, Inc. All Rights Reserved

Worms Software Overview Self propagating executable software can be spread throughout networks and user groups.

Characteristics • Self Propagating • Rapid proliferation • Exploits vulnerabilities • Exploits user behavior • Polymorphic

Investigation Methods • Search for known signatures • Identification of suspicious ports • Identification of aberrant behavior

Source CNN.COM

Worm Attacks

Source CNN.COM

The Sentence

Whatâ&#x20AC;&#x2122;s Next?

Botnets Overview A network of compromised computers that can be remotely controlled and accessed for a variety of illegal purposes:

Characteristics • Launching Distributed Attacks • Denial of Service Activities • SPAM Distribution • Distributed Processing

Investigation Methods • Search for known botnet’s • Detection of unusual activity • Identification of suspicious ports • Identification of aberrant behavior

Source: IBM.COM Bots und Botnets - ein neues Kapitel in der Informationssicherheit

BOTNETS Advancement

Source: GCN.COM

BOTNETS Advancement

Source: GOVEXEC.COM

BOTNETS in the News

Source: NY Times and Washington Post

Rootkits Overview A cyber weapon that as the name implies provides root access to computer. Rootkits are designed to bypass legitimate control of operating system controls and assist intruders in maintaining access to systems while avoiding detection.

Characteristics • Stealthy operations • Detection countermeasures • Unfettered control of OS

Investigation Methods • Search for known Rootkits • OS Kernel aberrant behavior

Rootkits continue to evolve

Source: GCN

Trojan Horse Overview A software program that is purported to perform a certain action, but infact performs something completely different.

Characteristics • Stealthy operations • Does not propagate • Potential unfettered access

Investigation Methods • Search for known Trojan programs • Analysis of installed software • Analysis of user actions • Analysis of syslogs and events

A New Defense

Password Cracking Overview Computer software that employs dictionary, brute fore and hybrid attacks on authentication and access control security methods.

Characteristics • High performance application • Targeted to specific applications • Exploit weakness in design • Exploit Weakness in Behavior

Investigation Methods • Search for Cracking Software • Search for Dictionaries • Search for Rainbow Tables

Rainbow Tables Skirt Passwords

Key Logging Overview Software or hardware that is designed to record everything you type. The software can record passwords, credit card numbers, social security numbers, e-mail messages, documents you create and online logins

Characteristics • Software or Hardware • Records typed keys • Store context of keystroke activity • Numerous deployment methods

Investigation Methods • Search for Key logging Software • Search for recorded files • Examine memory for signs • Search for hardware devices

Key Logger Delivered via Worm

Wireless Hacking Overview Hardware and Software that provides unauthorized use or penetration into wireless networks.

Characteristics • Software and Hardware • Sniffing of wireless communications and network traffic • Software for cracking wireless encryption keys • Software for unauthorized access to wireless

Investigation Methods • Search for wireless Software • Search for wireless Hardware • Search for wireless web database access

Criminal On Ramps

Source: http://www.wigle.net/images/JiGLE.png http://www.wigle.net/images/JiGLE.png

Wireless Access Point Collection Evolution

Wireless Access Points Reported

2003: 2004: 2005: 2006: 2007:

220,096 632,997 2,050,987 4,850,362 8,438,045

Source: wigle.net

Wireless Cracking • The Basics – WEP (wired equivalent privacy) is 802.11's optional encryption standard – The encryption standard is implemented in the MAC Layer – Most radio network interface card (NIC) and access point vendors support the standard

Wireless Cracking • Encryption – Encryption occurs for each 802.11 Frame before transmission

Source: Google Images

– A shared secret key (40 or 64 bit) can be used by most equipment with some manufactures offering 128 bit capabilities – RSA supplied RC4 Stream Cipher is used to encrypted outgoing frames Copyright 2003-2007 WetStone Technologies, Inc. All Rights Reserved

Wireless Cracking •

WEP Weaknesses 1. RC4 provides stream encryption using XOR of the shared key (secret) and initialization vector (known but variable) with the payload 2. Since the plaintext payload in many cases begin the same for a given protocol (port) for example “From” in an e-mail smtp request header or “Get” for an http request (given enough similar packets the shared secret can be discovered. 3. This is exaggerated by the relative short 24 bit initialization vector (IV) this causes packets to use the same IV for different fames. Given enough frames with the same IV cracking can be accomplished Copyright 2003-2007 WetStone Technologies, Inc. All Rights Reserved

Anti-Forensics Overview Software used to clean a system of incriminating information. Sanitizing includes cleaning: browser history, browser cache, browser cookies, recent documents, run history, swap files, Find / Save / Open history, clipboard, recycle bin, temporary files, and overwriting of unallocated space

Characteristics • Software and Physical • Variety of wiping techniques • Manual, Scheduled and Automatic

Investigation Methods • Search for anti-forensic Software • Identify evidence destruction • Identify signs of tampering • Identify signs of altering Source: Google Images Copyright 2003-2007 WetStone Technologies, Inc. All Rights Reserved

Phishing Overview The method of acquiring sensitive information such as user names and passwords, credit card and social security numbers.

Characteristics • Social Engineering • Creation of realistic web pages • Creation of realistic e-mails • Luring unsuspecting victims

Investigation Methods • Search for Phishing software tools • Search for Identity information •

Phishing Statistics

Source: PhishTank.com

Popular Phishing Targets

Source: PhishTank.com

Side Jacking Overview The exploitation of a valid network session that usually involves the use of a secret session key to gain unauthorized online access.

Characteristics • Software • Sniffing of wireless • Intercept of a special “magic cookie”

Investigation Methods • Search for Sidejack Software • Search for wireless Software • Search for interest in HTTP, Cookies or Magic Cookies

Data Hiding and Steganography Overview Computer software designed to scramble information (encryption) or to hide the existence of that information in innocuous files such as digital images, audio or video files, (steganography). The program can conceal incriminating information or covertly communicate information over the Internet

Characteristics • Concealing covert or incriminating information inside a carrier • Utilization of the internet as a dead drop

Dangers of Steganography • Steganography vs. Encryption – Steganography and Encryption each have distinct purposes • Encryption – Keeps information private by using a mathematical algorithm which renders the contents unreadable unless you possess a specific key allowing you to decipher the message – Encrypted objects are typically easy to identify or detect – The existence of the message is obvious, however the content is obscured

• Steganography – Hides the actual existence of a message or hidden data – Hides information in plain sight by exploiting weaknesses of our human senses

Dangers of Steganography

Encryption

Steganography

How big is the problem? 500

Steganography Programs in the Wild 500+

450 400 350 300 250 200 150 100 50 0 2001

2002

2003

2004

2005

2006

Today

How global is the problem?

A R A B I C

How global is the problem?

C H I N E S E

How global is the problem?

G E R M A N

How global is the problem?

K O R E A N

Advanced Threats : Audio MP3 – Stego

• Portable audio is ubiquitous in society as mp3 is everywhere • Large amounts of data can be stored in a single song or play list • Minute audible changes are made to the carrier during encoding • The new MP3 Stego program brings audio stego to the mainstream

Advanced Threats : Digital Video Stego

• Carrier sizes are vast – DVD = 4.7 GB – Blu-ray = 25 GB

• Hiding can occur in any video or audio sequence • Extraction of payload after compression is possible • One example program is “MSU Stego Video”

Advanced Threat : VOIP Stego

How can Hacking Tools and Cyber Weapons be Obtained?

Are they really out there?

Obtaining Cyber Weapons • Cost is Cheap or Free – Free and anonymous Internet download – Peer to Peer network interchange

• Cyber Weapons Include – Source code – Criminals share secrets and success

Obtaining Cyber Weapons

Chet Hosmer

Chief Scientist

Tim Bradish

Forensic Specialist

Matt Davis

Forensic Specialist

Don Smith

Computer Scientist

Group Discussions

Group Discussions â&#x20AC;˘

Overview 1. Organize into 5 Groups 2. Work the following challenge problems within your group 3. Define a spokesperson for each challenge problem 4. Present your results to the whole group

Group Challenge I – The Wireless Hack • Challenge – Wireless networks are susceptible to mapping and attack due to the RF communication method. – A manufacturing facility utilizes secure wireless networks throughout the facility to control all aspects of the manufacturing process. – The facility has guarded access preventing you from get close enough for traditional war driving.

• Devise a plan of attack that will allow you to accomplish the following: – Map the wireless access points and wireless devices – Gain unauthorized access to the wireless network – Inject malicious code that would disrupt and/or produce errors in the manufacturing processes

Group Challenge II – Getting Away with It •

Challenge – You installed a key logger on 25 data entry workstations at a major financial institution where credit card numbers and accounts were being entered. You inserted the key logger as part of a software patch update you were hired to perform. – The key logger has secretly emailed to you 1000’s of identities from these computers over the past month and you are ready to exploit these identities for profit.

•

Getting away with it –

–

You need to cover your tracks and eliminate any residual evidence related to your activities Devise an anti-forensic plan of attack that would accomplish two key objectives: 1. “Self Preservation” Eliminate any trail that would lead investigators to your door step 2. “Billing Cycle” Buy yourself at least 30 days (or longer) before investigators could connect the dots relating to the information loss

Group Challenge III – The Plan • Challenge – Typical networking infrastructures utilize routing, network address translation, firewalls, intrusion detection systems, virus protection and content filters to protect them from hacking.

• Planning and overcoming obstacles – Using any combination of methods, techniques and tools, devise a general plan of attack for gaining unauthorized access to the organizations web server.