MIS 5211001 Week 9 Site httpcommunitymistempleedumis5211sec001f14 Tonights Plan Selected Questions from MidTerm In the news Malware 2 MIS 5211001 MidTerm Review Three questions seemed to give a majority of the class a problem ID: 752136
Download Presentation The PPT/PDF document "Intro to Ethical Hacking" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Intro to Ethical Hacking
MIS 5211.001
Week 9
Site:
http://community.mis.temple.edu/mis5211sec001f14
/Slide2
Tonight's Plan
Selected Questions from Mid-Term
In the news
Malware
2
MIS 5211.001Slide3
Mid-Term Review
Three questions seemed to give a majority of the class a problem
3 – Going to far
19 – Why target by IP
23 – TCP port open on nmap port scan
MIS 5211.001
3Slide4
Question 3
What phases of a penetration test would likely be consider “going too far” or passing in to unethical areas?
Covering Tracks
Reconnaissance
ScanningExploitationWeek 1 Presentation – Slide 20 “Going to far”
Covering
Tracks
MIS 5211.001
4Slide5
Question 19
Why is it best to target scans by IP address?
Some tools will not accept DNS names
Load Balancers may disrupt scans targeted by DNS name
The same DNS name may be used multiple times and you will not know which target is being scannedNetwork admin may not allow use of DNS namesWeek 4 – Slide 9
Round Robbin DNS (Think basic load balancing) may spread packets to different machines and corrupt your results
MIS 5211.001
5Slide6
Question 23
In an nmap TCP scan (-sT), how do you know if a port is open?
If connect succeeds, port is open
If SYN-ACK is received, port is open
No response – Port assumed openIf RST is received, port is openWeek 5 – Slide 26-sT – TCP connect() scanning
If connect succeeds, port is open
MIS 5211.001
6Slide7
In The News
Submitted
http://www.dailyfinance.com/2014/10/21/staples-card-payment-data-breach
/
http://www.technewsworld.com/story/81157.html
(Phishers find Apple tasty)
http://
www.chicagotribune.com/business/breaking/chi-dairy-queen-hacked-20141010-story.html
http
://
www.americanbanker.com/issues/179_149/how-backoff-malware-works-and-why-banks-should-care-1069180-1.html
http://9to5mac.com/2014/10/20/chinese-government-apparently-phishing-icloud-account-info
/
7
MIS 5211.001Slide8
In The News
Submitted
http://
www.darkreading.com/google-expands-2-factor-authentication-for-chrome-gmail/d/d-id/1316821
http://www.pcworld.com/article/2836732/one-week-after-patch-flash-vulnerability-already-exploited-in-largescale-attacks.html
http://www.washingtonpost.com/news/business/wp/2014/10/21/staples-is-investigating-a-possible-data-breach
/
http://www.darkreading.com/attacks-breaches/in-plain-sight-how-cyber-criminals-exfiltrate-data-via-video-/
a/d-id/1316725
https://uk.news.yahoo.com/staples-alert-card-theft-hack-attack-123510760--
finance.html#yhPw4Ke
MIS 5211.001
8Slide9
In The News
What I
noted
http://www.net-security.org/malware_news.php?id=2887
(Delivering malicious Android apps hidden in image files)http://money.cnn.com/2014/10/20/technology/security/facebook-dea
/
http://
martin.swende.se/blog/IP-issues.html
(Using IP law to muzzle security researchers)
http://www.nextgov.com/cybersecurity/2014/10/number-industries-getting-classified-cyberthreat-tips-dhs-has-doubled-july/96923/?oref=ng-HPtopstory
MIS 5211.001
9Slide10
Malware
Code used to perform malicious action
Or
Malware
is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.
MIS 5211.001
10Slide11
What it is used for
Steal personal
information
CredentialsCredit Card Numbers
Whole IdentitiesRansom filesDelete files
Click fraud
Use
your computer as
relay
Logic bombs
MIS 5211.001
11Slide12
Forms
Static (My words)
Polymorphic
: uses a polymorphic engine to mutate while keeping the original algorithm intact (packer)
Metamorphic : Change after each infection
MIS 5211.001
12Slide13
Kaspersky Malware Classification Tree
MIS 5211.001
13
Source:
http://usa.kaspersky.com/internet-security-center/threats/malware-classifications#.
VEcRrXl0yUkSlide14
Some Definitions
Payload
- harmful things the malicious program does, after it has had time to spread.
Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).
Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).Logic Bomb - malicious code that activates on an event (e.g., date).
Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.
MIS 5211.001
14Slide15
Shellcode
You will see the term Shellcode used intermittently throughout the presentation
Shellcode is defined as a set of instructions injected and then executed by an exploit program – The Shellcoder’s Handbook 2
nd
EditionDerived from the original purpose of the software to create a “Shell” at the root level
MIS 5211.001
15Slide16
What is a Shell
First, a shell is not a terminal
For the mathematically inclined
Shell != Terminal
What this meansNot all terminal commands will work in a shellFor instance:
Clear for clear screen
Turn Echo On or Off
CTRL-C
CTRL-D
Etc…
MIS 5211.001
16Slide17
More on Shell
Terminals include code and protection to interpret user input, and ensure everything works
A shell is a raw command line to send characters to, and receive characters from a system. That is, raw stdin and stdout. That’s it. It cannot interpret or catch control codes or screen commands
MIS 5211.001
17Slide18
Technical Types
User Mode Root Kits
Kernel Mode Root Kits
Keyloggers
SniffersDownloadersHTTP C2 Channels
MIS 5211.001
18Slide19
User Mode Root Kits
Purpose
Attain access
Maintain access
Hide accessOperates in user modeThat is, gets injected into one or more individual processes
MIS 5211.001
19Slide20
What it Looks Like
MIS 5211.001
20Slide21
What is Happening
Rootkit intercepts data to:
Netstat
Process Explorer
Task ManagerTherefore, when a user or admin looks at these tools everything looks normal
MIS 5211.001
21Slide22
Two Key Infection Steps
DLL Injection (Dynamic Link Library)
Running code within the address space of another process
Malware “Injects” itself into a DLL using
SetWindowsHookExCreateRemoteThread/LoadLibraryNote: These are legitimate commands that are used by software for things like patching
API Hooking (Application Programming Interface)
Intercepting function calls, messages, or events passed between software components
MIS 5211.001
22Slide23
Notes on Rootkits
These methods were developed in Windows XP and earlier machines
Still possible with Vista, 7, and 8 – Just need to work a little harder
MIS 5211.001
23Slide24
Kernel Mode Rootkits
Injected into the Kernel, below the level of process and DLL
Runs at the highest privilege level for software
Removal likely requires reinstallation of operating system
MIS 5211.001
24Slide25
Keyloggers
Monitor user key strokes
Lots of bots, worms, and assorted other malware does this
Sends logs to attacker
Common methodsHook for keyboard eventsPoll keyboard state with GetAsyncKey()
MIS 5211.001
25Slide26
Sniffers
Similar to tcpdump or windump covered earlier, but now its malicious
Common method
Put interface into promiscuous mode
Controller passes all traffic it receives to the CPUOther ways
Intercept network related calls
Intercept higher level functions
We’ll see this late with Browser proxies
Installing BHOs (Browser Helper Objects)
MIS 5211.001
26Slide27
Downloaders
Used by attackers to deliver malware in stages
Initial malware can be very small, only needs to fetch the next piece of software
Easier to obfuscate
May escape detectionAction is not malicious in and by itselfDroppers are similar, but embedded the downloaded functionality in their own code
MIS 5211.001
27Slide28
Example Commands
URLDownloadToFile()
Download and save file to disk
ShellExecute()
Execute fileWinExec()Execute file
MIS 5211.001
28Slide29
Command and Control Channels
AKA HTTP C2 Channels
Ubiquitous
Port 80 almost always open
Use port 443 and your coms are encryptedAlternativesIRC (Internet Relay Chat)
P2P (File Sharing)
DNS (Tunnel data over DNS)
MIS 5211.001
29Slide30
Approaches
Reverse shell over HTTP (Port 80)
Embedded in regular HTTP traffic
Disguised like normal user traffic
MIS 5211.001
30Slide31
Infection Channels
MS Office Files
PDF Files
FlashJavaScript
Lots more, but these are the ones we will talk about
MIS 5211.001
31Slide32
MS Office Files
Why Office
Everybody is using it
File freely passed around and not unexpected
Parsing binary office format is difficultRobust embedded scripting language (VBA)You can even hook Apple products
MIS 5211.001
32
Source for Graphic:
http://www.motionvfx.com/mblog/microsoft_office_coming_for_ipad_as_well_as_a_new_desktop_version_for_lion!,
p960.htmlSlide33
Techniques
Embedded Shellcode
Exploits vulnerability in office software
No user interaction required
Embedded VBA ScriptExecutes on document openMay require user to click OK or “Enable Content”
Note about VBA – Term Macro is misleading. Implies it is for basic scripting. Today, VBA is a full fledged language.
MIS 5211.001
33Slide34
Adobe PDF
Why
PDF
Everybody is using it
Files freely passed around and not unexpectedPDF Format
Proprietary(ish)
Used to be proprietary, published by ISO as ISO/IEC 32000-1:2008
Feature rich
Can include active content
JavaScript
ActionScript
via Flash
Objects
And finally
New vulnerabilities found regularly
MIS 5211.001
34Slide35
More Adobe PDF
High profile attack target
http://www.darkreading.com/vulnerabilities---
threats/report-sixty-percent-of-users-are-running-unpatched-versions-of-adobe/d/d-id/1136022
6 in 10 installs of Adobe Reader are out of dateComplex structure
Easily obfuscated
Need software tools to open and understand
Even AV vendors have problems keeping an eye on this
MIS 5211.001
35Slide36
Where are the Vulnerabilities
Parser components
JavaScript and ActionScript
Embedded Shellcode executes by exploiting these vulnerabilities
MIS 5211.001
36Slide37
Flash
Ubiquitous on websites
New vulnerabilities weekly (at least that’s how it feels)
So bad Apple and now Kindle will not allow flash to be installed without jail breaking the devices
MIS 5211.001
37Slide38
More Flash
Uses the SWF file format
See:
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/swf/pdf/swf-file-format-spec.pdf
Supports ActionScript language for scripting, including legacy support for older versions of ActionScript
MIS 5211.001
38Slide39
Flash Vulnerabilities
Client Side
Flash Parameter Injection
Inject parameters when Flash object is embedded in an HTML page
Cross Domain Privilege EscalationAccess and modify DOMCross Site Scripting
Access and modify DOM
Cross Site Flashing
Call another flash object from flash
MIS 5211.001
39Slide40
JavaScript
Just a teaser at this point
JavaScript is a primary infection path with web site based attacks
Used for:
Cross Site Scripting (XSS)Cross Site Request Forgery (CSRF)Direct Delivery
Downloaders
Droppers
Keyloggers
And anything else you want
MIS 5211.001
40Slide41
More JavaScript
JavaScript based attacks are frequently heavily obfuscated with multiple layers of encryption, obfuscation, encoding, and false flags
Attackers will “buy” ad space and put up legitimate looking ads on legitimate sites
Since adds are rotated, infection is inconsistent and difficult to pin down
MIS 5211.001
41Slide42
Testing AV
During Penetration Tests a tester may be asked to verify that the AV suite is working
You don’t want to actually send malware
What do you do?
AnswerEICARhttp://
www.eicar.org/86-0-Intended-use.html
MIS 5211.001
42Slide43
EICAR
EICAR is a Anti-Malware Test File
Originally developed by Paul Ducklin
All major AV vendors will flag this file if properly installed and configure
Tester can simply send the file in via normal channel being tested and then confirm that AV suites correctly identified and blocked file.
MIS 5211.001
43Slide44
Odds and Ends
I’m malware, where do I hide
Inside other executables
Inside data files
In Alternate Data Streams (ADS)On the hard drive, but outside of the file systemIn BIOS
MIS 5211.001
44Slide45
Detection
Malware in executables and data files can be detected of you know what good is supposed to look like
Malware also leaves markers in the file system that can be detected
Commercial tools like Mandiant, FireEye, and others can pick these up
Worth noting: FireEye bought Mandiant
MIS 5211.001
45Slide46
Alternate Data Stream (ADS)
Compatibility feature of NTFS
Part of file system, but not part of file system
Originally created to allow NTFS to handle Apple file attributes that were stored outside of the file structure
Creates an “Off Book” location to store data and/or executables that will not be seen via file commands or through GUI folder tools
http://
www.windowsecurity.com/articles-tutorials/windows_os_security/Alternate_Data_Streams.html
MIS 5211.001
46Slide47
Hard Drive
Not all space on the drive is consumed by the file system
Vendors sometime use this space to keep configuration information or recovery files
Attackers can use the space as well
Caution: While tools exist to read and write to raw space, writing is extremely dangerous as you can render the file system useless.
MIS 5211.001
47Slide48
BIOS
Firmware installed on motherboard that instructs CPU how to turn on
What drive to boot from
Is there a password to just turn on
Other hardware has similar FirmwareGraphics CardsNetwork Cards
Other specialty boards
MIS 5211.001
48Slide49
What is Firmware
Firmware is rewritable code in a chip or other piece of hardware that retains it’s coding even without power
It only changes when specific external commands are given to update or overwrite
MIS 5211.001
49Slide50
Impact of BIOS Malware
Malware can withstand a complete re-image of the file system
Replacing the hard drive will not mitigate
Since it is in place a boot time, before the kernel ever starts, it can re-infect
MIS 5211.001
50Slide51
Next Week
Readings and Articles as
usual
We will be coveringWeb Application Hacking
Intercepting ProxiesURL Editing
MIS 5211.001
51Slide52
Questions
?
MIS 5211.001
52