WordPress.com

[Pages:2]

Hacker Techniques, Exploits & Incident Handling

Notes written by Uma Mahesh Padisetty

✓ Always have Handwritten Notes

o Whom are you meeting, what did u ask, what commands .

✔ May be have audio recorders with you.

o Sometimes video recordings can have policy obligations.

✔ When you do the job make sure management understands ur value in the form of Incident handling summary i.e., slide of all incidents, here are graphs. For a quite month include info from other or like SANS to avoid budget cuts.

✔ We need to have appropriate people on team should have core experts in all disciplines

o Two from Unix, Two fron windows,

o Network Management Personnnel as we get lot of info from routers and switches

o In house Legal Council

o Sometimes we need HR for taking actions on humans

o Disaster Recovery /BCP should not be head on incident handling.

✔ Have System built checklist i.e., what are the basic system built documents for those servers etc.

✔ Inorder to run the Bridge calls, we need to have list of all contact info of key personnels or emergency calls.

✔ Test your stuff periodically(not regularly..they hate u).

Source of Realworld Incident scenarios

CounterHack PPt:

✔ Incident Handlers sometimes need to have access to device with admin priveleges

o Bargain with Operations Team.

✔ Provide a way to users to contact incident handling team

o Provide hotline number, email source, occasional alert mails.

o We need a special climate controlled room (say SOC)

✔ Always plan for backups for evidences

✔ Helpdesks are important and they are eyes of Incident Handling Team

o Educate helpdesk people to report some specific incident to us.

✔ Incident Response Kit – set of tools

o Have a jump bag of Harddisks to take backups.

o Binay backup softwares – dd and windd

o Netcat – move filysystem images across network, take output of certain commands

o Forensic softwares

▪ Freewares - Sleuthkit, Autopsy

▪ Commercial tools – Guidance software Encase

o Diagnosis software (sometimes a rootkit installed on the machine might lie to you regarding the badguy as rootkit modifies operating system itself. So carry your trustrworthy set of tools on a cd or pendrive for diognosis)

▪ A good bootable Linux Disks – (eg: Helix)

o Use something like Taps to capture. Cant use Hubs,switches

▪ Cannot use on servers

▪ Bad guy can identify as it is bidirectional

▪ Available from NetOptics (USB powered TAP is easy to use)

o Cables (1 straight through, 1 crossover cable, 1 USB to Serial cable, 1 Serial cable for Routers, extra harddrive cable)

o Laptop with multiple operation systems (Atleast virual machines)

✔ Interview the operations people with open ended questions like

what recent changes made the firewall?

what recent configurations?

what patches?

any scripts executed?

✔ Involve your peers into handling the incident and everyone maintain notes.Also involve the necessary people such as adminstrator, business manager, Risk Manager, Client POC, etc.

✔ Network Perimeter Detection

← tcpdump -n

✔ Host Perimeter Detection

← Firewall Logs

← netstat -an

← Virus Response Tool Kir (LiveIR)

✔ System Administrator Cheet Sheets (for windows and linux) are some commands that system administrator use to find any anomalies.

Session 2 – Click on PDF Below

[pic]

✓ sc – services controller, services.msc, msconfig, net view etc.,

✓ at – to check what jobs are scheduled, process explorer from sysinternals

[pic]

✓ Netcat – To transfer data across TCP and UDP Ports

✓ We have to create a chain of evidences (Collection of events) on document. Eg: when law

✓ enforcement officer asks for harddrive, ask for proof (mail, fax) and then send Copy of the real.

✓

✓ Preparation

✓ Identification

✓ Containment:

o Short term containment: Pause the Attacker temporarily without changing the configurations made by attacker. Ie., Blocking the network, port, Isolate the machine.

Maintain good relation with management sponser who will provide resources, remove blocks across. Management sponser can be LIRM, SDM – Notify him

Coordinate with Network Personnel to isolate the Machine from network. It can be done by pulling the LAN cable from the machine, Blocking the switch port attached to the machine.

Usually Badguys hit with IP address. Change the IP in DNS Servers so that your customers come to your actual service while bad guy try to his the old machine. It helps until we get some information. The Problem is convincing the Management.

Maintain a Low Profile while investigating. Do not do reconnaissance from the infected machine. If needed do from other machine (Lab)

Backup the Machine (Create Images – use DD, WinDD etc from Live CD)

How do you deal with filesystems of terabytes of data???

Usually such devices has RAID Mirroring. So It has a button to synchronize the mirroring. Here you go., push the button and take it

Using built-in backup softwares

Copy Only system Partition where OS resides and the logs.

Use some Tools for logging the incidents and provide the incident number.

Eg: RTIR (Real Time Incident Response) -

BlackThorn -

o Long term containment and Erradication:

remove/disable accounts

shutdown/remove backdoor

change passwords

✓ Erradication

✓ Recovery

✓ Lessons Learnt

• Ask Open ended questions. Do not ask yes/no questions.

• Espionage: Espionage or spying involves an individual obtaining information that is considered secret or confidential without the permission of the holder of the information.

Tip#1: When handling such cases, use trusted people.

Tip#2: Try target analysis of our own organization.

Tip#3: To generate an event while transferring critical documents, assign a Unique Serial Number in it so that google can bring it up, Use some signature if IDS can identify the transfer..

Tip#4: Always have access to various logs, not just Device logs but physical logs such as Datacenter entry login/logout, call record of some person, surveillance videos etc.,

• Unauthorized use:

Tip#1: Organizational Reconnaissance.

• Phone Phishing:

In the email, it states that your account has the problem, please call the number to fix It. The number goes to VOIP and phishing IVRS of the bank asking to input account number, pin for authentication.

• In Appropriate Web access:

Pull the proxy logs.(But do it only if HR asks in writing not the manager asks)

Bluecoat, SurfControl etc can block unwanted sites categorized as Pornography, Malware Sources etc

• Insider Threat:

It could be contractor, business partner, employee.

It can be destructive, non destructive (=>doesn’t mean not damaging, they copy and take it out)

They might put Logic bombs .

Warning Banner helps prevent insider threat. Always get authorization from HR when monitoring suspicious person otherwise might sue you.

Ask open ended Questions…

• Intellectual Property Theft:

Patents: Protect Innovations

Copyrights: Protects specific expressions of ideas, content

Trademarks: Protects Brands

Confusion Attack: Using same fonts, colors to confuse between original and duplicate eg: Microsoft and Microsaft.

Tradesecret Protection: Things we derive economic value for them being secret. Provides various penalties for violation. Protecting against Theft.

How to identify breach in intellectual property?

To prove the theft and intellectual property violation, we need to show that we made enough protection to it.

• Law, Crime and Evidence

Three Domains:

• US Federal Law:

Title 10 Section 2030: Computer fraud and Abuse Act

1) Computers working for govt

2)Computers associated with Infrastrucure

3)Computer associated with e-commerce

The laws apply only if Damage > $5000

DAY2

Session 1

Talks about vulnerabilities, disclosures and complications

✓ Whenever vulnerability is found it is advised to contact vendor and go public when he patches or a timeframe of 90 days (mostly) and even 180 days before going public. If vulnerability found via Reverse Engineering, you could be sued by DMCA Act.

✓ Tipping point will buy the vulnerabilities.

✓ Send the vulnerability via Proxy like US Cert, SANS ISC.

✓ Hactivism: Hacking to make a political point.

Create a Malware ( Create Botnet (Rent the Botnet (eg: for Hactivism)

✓ Scarewares, Codecs – Drive by downloads

How does Hacker start attacking?

Reconnaissance

✓ Whois – one can get contact information of the domain

Findout Registrar associated with the domain

Registrar would provide details

sometime IP can be block of ips, it can be ISP



sometimes when the contact is person, then social engineering can be played on him for reconnaissance.

P.s: There are some anonymous registrars who will not put up owners information. This will slow down contacting process

DNS Interrogation -

Bad guys always want to have as many as records as possible. Zone Transfers – The hackers way to get most out of DNS. It is used to transfer DNS records from Primary NS to Secondary NS. However hackers exploit to collect the DNS Records. There are perl scripts (Found on BT) for DNS Enumeration – DIG can be used for zone transfer

|Get the Name Server |

|#dig |

| |

| |

|Ask the Name server about the domain using Protocol AXFR (or IXFR) |

|#dig @ns1.highland- axfr |

|[As a security feature, most of name servers might disabled it] |

Nslookup on windows does the same purpose.

Usually organization keeps secondary, teritiary NS with ISP, and whom support ZoneTransfer. Send a mail to ISP to block it.

DNS is highly critical infrastructure and always harden it.

Identification of DNS compromise:

Look for Zone Transfer - Normal DNS use UDP 53 while Zone Transfer use TCP 53.

Also DNS Reponse Bigger than 512 Bytes.

Also DNS Request Bigger than 512 bytes can be an attack for buffer overflow.

✓ Website Searches : Press releases, Job Openings, Business Partners, Phishing attack on employees

Defences:

✓ Preparation:

Look at your own websites,

See what your employees talk about in news groups

Make Job opening description generic

Identify web crawler activity from the logs

✓ Google Searches:

Johny Lang – Using Google for Penetration Testing

|phonebook: James Smith |Google Provide phone book search () – provides for US Directory– Search only from |

| |this site |

|site: isc. |Search only from this site |

|link: wikihead. |Shows everything that links to that site |

|intitle: Honeypot Indepth |Search the keywords in the title |

| |sometimes the files on the server are listed with title Index |

| |Hence “site: intitle:index” |

|inurl: robots.txt |Search term in the URLs. Helps identifying critical files like shown beside |

|wikihead –malware |Discard the term malware from search (minus) |

|- | |

|+ |Eg: ‘X and Y’ strips out and |

| |so use X+and+Y |

| |X.Y - one character |

|Google Cache: |contain website image from google servers |

| |Helps to view deleted contents on the site |

| |P.S: Data in google cache can be removed by using google webmaster tools |

|Language Translation |Browse the website using google translator. You can browse anonymously…(not |

| |ultimate anonymous) |

|filetype: pdf |Reports only PDF files with given search terms |

|Ext:rdp |Shows rdp files (Remote desktop files) |

GHDB – Google Hacking Database

robots.txt – it lists out what are the files or folder that should not be crawled

[Honeypot Use# check the ip who accessed the file mentioned in robots.txt… it is a malicious bot]

noindex, noarchive, nosnippet etc written to robots.txt can prohibit google Bot to capture unwanted info on the server.

USERAGENT Switcher : A Plugin in Firefox to change the UserAgent of web request.

Google URL Crawl Request Form: Google crawls the site from scratch again from root.

[pic]

✓ SAMSPADE – A simple tool for whois, dns, tracert etc for reconnaissance

It has webcrawler.

wget –r [Web crawling for local mirroring]

SCANNING

✓ WarDailing:

Phone Sweep: Dail the numbers in sequence.

NudgeString: Replay a pattern of signal when modem is found (Modem style attack)

Remediation: Use modem only if vendor has strong requirement, even if used ask for Strong userid and passwords.

Conduct a WarDailing Exercise.

[There are Voice IPS which detects wardailing and blocks the calls to modem if vulnerable]

As in IR member, you should have contact with person who can tell you where the phone ends inside the company.

✓ Netstumber: It is a good tool for wardailing tools for Wireless Access Points. If WEP is used, capturing some packets can crack the keys.

✓ AIRCrack-NG: A superb one to crack the WEP keys.

SESSION 2

✓ KARMA -

KARMA is a set of tools for assessing the security of wireless clients at multiple layers.

1. It sniffs the 802.11 Probe request packets passively and there by discover clients.

2. From the packets, it extracts what network the clients want to connect to (I guess it would be SSID)

3. KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID

4. It starts the services ACCESS-POINT, DNS-SERVER, DHCP-SERVER, FTP-SERVER

5. When the user wants to connect to internet via ssid, Karma acts as MIM, assign a DHCP ip to victim and capture all the traffic. It acts as fake DNS, FTP server to capture credentials and returns nothing.

karma-lan.xml - "This configuration runs a  rogue DHCP, DNS and HTTP services on an existing (wired) network connection.  The HTTP service redirects all requests to ExampleWebExploit module that displays simple HTML page"

Usage:

 

cd /tools/wifi/karma-20060124

bin/monitor-mode.sh  ath0

bin/karma  etc/karma-lan.xml

[pic]

✓ ASLEAP – Exploits Cisco LEAP Protocol

The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be configured to use TKIP instead of dynamic WEP.

This password is not encrypted and transferred while authenticating, but some complicated hash ..blah.. blah..blah… is transmitted on air for authentication. There is a weakness which is exploited by using dictionary attack against those hashes transmitted to retrieve WEAK PASSWORDS.

[pic]

✓ A simple defense strategy employed is MAC Filtering at AP… Oh…MAC is spoofable..

Just sniff the mac from packets and use when the machine is offline.

✓ WPA2 is Stronger Access Authentication Mechanism

✓ Attacking Aggressive mode IKE which is used for wireless VPN Connection is easily crackable

It takes short cuts to improve performance by avoiding rekeying.

IKE Aggressive Mode:

In IKE Aggressive Mode the authentication hash based on a prehashed key (PSK) is transmitted as response to the initial packet of a VPN client who wishes to establish an IPSec tunnel. This hash is not encrypted. A packet sniffer (i.e. tcpdump) can be used to capture these hashes and a dictionary or brute force attack can be used against the hash to recover the PSK

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on this fact, we can learn that IKE Aggressive Mode is not very secure.

Tool: IKECRACK -

Hence the tip is Disable Aggressive IKE

Proof Of Concept:

✓ Cisco AP has integrated security mechanism and can also assist by jamming the Rogue machine. But it is problematic as it can jam any machines in the vicinity that belong to another company. Mostly Jamming is legally banned and will not be used. I believe other guy can sue you.

✓ There are some WIPS such as AirMagnet, AirDefense

WIRELESS LAN Security Policies

✓ WEP shouldn’t be used

✓ Disable Aggressive IKE

✓ When Jammers are used, put a sign board notifying the same

Is Wardriving with Netstumbler legal?

Ans: It depends…..

Since it sends BEACONs and receives Responses. Hence it is advised to disable DHCP.

Passively sniffing is legally wrong as it might object their privacy.

TIME: 30 MINS complete

Network Mapping:

We need to get topology

Cheops-NG:

It is simple tool that provides what are the network mapping by using host discovery and also port discovery on the machines. It uses ping, traceroute for network mapping

Sending a packet for traceroute with TTL = 1, i get first hop machine

Sending a packet for traceroute with TTL = 2, we get second hop machine

Features:

• Host discovery - Uses ICMP ping packets

• Machine fingerprinting to determine OS (using Nmap) - Runs an nmap command to determine OS fingerprinting.

• Use of DNS and ICMP to detect network hosts

• Network mapping - Mapping is done using UDP (or optionally ICMP) packets with small time-to-live values (traceroute and mtr, respectively)

Usage:

1. First Start the Cheops Agent on the machine

#cheops-agent &

2. Connect to Cheops-Agent

#cheops-ng

3. Enter the IP of the machine on which Cheops-agent is running.. currently it is localhost

4. Add Host in the workspace.. just one targetmachine

Recommendations

✔ Usually Corp blocks pings.

✔ Also Block outgoing ICMP packets

>>>Simple Details on TCP, UDP Headers> Search ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download