CIS 450 – Network Security Chapter 16 – Covering the Tracks.
-
Upload
loraine-hodges -
Category
Documents
-
view
217 -
download
4
Transcript of CIS 450 – Network Security Chapter 16 – Covering the Tracks.
CIS 450 – Network Security
Chapter 16 – Covering the Tracks
Hacker’s Perspective http://www.thc.org/papers/COVER-1.TXT
Backdoor – a way for an attacker to get back into a network or system without being detected. Attacker wants to maintain his access by hiding the fact that he was ever there.
Four areas that an attacker is concerned with when covering their tracks: Log files – audit trails that list who gained access, and for
how long (and possibly what they did and what files they accessed)
File Information – since attackers normally have to modify key system files information for these files (date and file size) tend to change
Additional Files – attacker usually loads additional files to the system which could take a large amount of space
Network traffic – if IDS is utilized attacker has to search and eliminate the IDS records or mask his traffic to appear to be normal network traffic
Log Files
Provide a listing of exactly what is done on the system and by whom
Logging has to be turned and checked Attacker can delete the entire log file but this will set off a red
flag to the administrator Attacker can edit the log files and delete the entries to what the
attacker did
Linux Log Files
/etc/syslog.conf – main configuration file for the syslogd daemon that controls logging on
/var/run/utmp Tracks who is currently logged into the system Entry is added when user logs in and removed when
user logs out Binary file that can not be accessed directly but by
common programs than come with OS: who; users; and finger
Linux Log Files
/var/log/wtmp Tracks all users who have logged in and have logged out of
system. Can be created manually if not created by login. Entry is added when user logs in and updated when user
logs out The file can grow rapidly on busy systems, so daily or
weekly rotation is recommended Binary file that can be accessed by the programs last and ac
/var/log/btmp Records bad log on attempts Can be created manually if not created by login Should combine the results with those from wtmp to see if
an attacker gained access after a failed attempt Binary file that can be accessed by the lastb program
Linux Log Files
/var/log/messages Syslog is a utility for tracking and logging all manner of
system messages from the merely informational to the extremely critical and can be configured to put most of the messages the file /var/log/messages
File is ASCII text and be looked at with the more, cat, and grep commands
/var/log/secure Used to log any attempts to log in as root and attempts
to use the su command. This file also contains information on attempts to connect from remote systems and failed attempts to log in as root.
File is ASCII text and be looked at with the more, cat, and grep commands
Programs Available to Clean Up Log Files
Available from:
http://www.packetstormsecurity.org/unix-exploits/log-tools/
http://www.dsinet.org/tools/logutils/
Protecting UNIX Log Files Set proper permissions on log files – read and write access should be limited to
root Use a separate server
Store your log files on a separate server Use Honey Pots
Honey pots are one of the newest methods used in intrusion detection. The idea behind a honey pot is to setup a "decoy" system that has a non-
hardened operating system or one that appears to have several vulnerabilities for easy access to its resources.
The decoy system should be set up in a similar manner to those of the production servers in the corporation and should be loaded with numerous fake files, directories, and other information that may look real.
By making the honey pot appear to be a legitimate machine with legitimate files, it leads the hacker to believe that they have gained access to important information
Make regular backups of the log files – backup to several places across the network and some on removable media
Use write once media Encrypt the log files Review the log files on a regular basis
System 2000 Logging
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/03w2kadb.mspx
File Information
When attacker puts in backdoor he has to modify some key system files
If file came with the base OS then it should not be modified in the course of using the system – check modified date
Some rootkits have utilities built in to modify file information
Protection Against Create cryptographic hash on file - tripwire
Additional Files
Attacker uploads tool to victim’s site so he has access to them when needed
Attacker tries to hide the fact that additional files have been added by: Set the hidden attribute for a file Rename the files Create hidden partitions or shares Modify the free space utility
Additional Files
Use steganography tools The art and science of hiding information by
embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.
http://www.stegoarchive.com/ THC Steganographic Challenge
Additional Files
Protection Against – Know what’s on your system
Run software such as Tripwire
Covering Tracks on the Network
Attacker will either try to hide their traffic or make it look like other traffic on the network
Loki http://www.phrack.org/show.php?p=49&a=6 http://windowsecurity.com/pages/article_p.asp?id=688
Reverse WWW Shell Malicious code attacks via HTTP http://www.thc.org/papers/fw-backd.htm
Covert TCP http://www.securityfocus.net/tools/1475