system hacking

hacking cycle
1 enumeration
列出user
2 cracking passwords
取得 user密碼
3 escalating privileges
從user帳號提升到admin權限,目地是可執行更多程式
4 executing applications
執行keylogging,spyware…等記錄admin使用習慣,並保留機器的使用權給下一次進入系統
5 hidding files
將惡意程式隱藏起來,ex:使用ntfs的ads特性
6 covering tracks
7 steganography

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………

escalating privileges

設權限建議:
least possible privileges:最小的權限
just enough privileges:剛剛好最小的權限
先將帳號所有權限disable,在根據需求以最小權限的原則enable

privilege設定工具:
cacls.exe

避免非法escating privileges建議:
restricting interactive logons
要求 user不能用cmd.exe存取system programs
auditing success/failure,包括account logon events,privilege use,system events

if the attacker has access to a w2k sp1 server
可使用ERunAs2X.exe to escalate his/her privileges to that of system by using “nc.exe -l -p 50000 -d -e cmd.exe”
ps:this can also be used remotely

ps:用弱點進去win系統shell時,預設權限是localsystem

if attacker已經進入windows system
1 booting to an alternate os:ex:ntfsdos,微軟的minisystem
2 backup sam from the repair directory:sam備份檔會存在%systemroot%repair
3 extract the hashes from the sam:使用l0phtrack解開sam
ps
sam file 儲存win nt/2000的password,username
sam file is located at %systemroot%system32config
當os is running,sam file會被lock

privilege escalation tool:

active@password changer
可運作在win xp/2003/2000/nt

x.exe
特色:檔案小,使用buffer overflow exploits
運作:會建x帳號並放入administrator group中
ps:1 執行時需在administrator權限下,2需設法給有administrator權限的帳號執行
一般用法:將此檔放入某個檔裡面,在給別人執行

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………

executing applications

tool
psexec:在ps系列tools中,可遠端執行其他程式
remoexec:可遠端執行其他程式,圖形化
ras n map
alchemy remote executor:遠端執行其他程式
emsa flexinfo pro

keystroke loggers tool

software tool
e-mail keylogger:sc-keylog,用複製貼上的資料也會記錄,可遠端安裝此程式,可email回報
revealer keylogger
handy keylogger
ardamax keylogger
powered keylogger
elite keylogger
quick keylogger
spy-keylogger
perfect keylogger:支援較多版本,包括mac,也支援screenshots
invisible keylogger
actual spy
spytector ftp keylogger:針對ftp
iks software keylogger
ghost keylogger:網路連線時會即時把資料回報

hard tool
hardware keylogger
keyboard keylogger
usb keylogger
ps:內部人員有較大的機會使用

sypware
用來取得以下資料
keystorkes
email messages
chat
websites visited

tool
spector: 記錄使用者行為
remotespy
spytech spyagent:圖形界面
oo7 spy software
spybuddy: 記錄網路行為
acespy
keystroke spy
activity monitor
eblaster:記錄相關行為模式
stealth voice recorder:可定期錄音並email回報
stealth keylogger
stealth website logger
digi-watcher video survillance:可錄影
desktop spy screen capture program: 桌面完整記錄,可screenshot,並存在遠端
telphone spy:記錄ip phone
print monitor spy tool:監視印表機狀態
stealth email redirector
wiretap professional
flexispy
pc phonehome:上線時會回報ip位置

countermeasures tool
anti-keylogger
anvanced antii keylogger
privacykeyboard:做在keyboard中間
spy hunter-spyware remover
spy sweeper:detects and removes more traces of spyware including trojans,adware,keyloggers,system monitoring tool
spyware terminator
wincleaner antispyware

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………

hiding files

attrib:設定hide屬性
rootkit:阻擋回報系統達到隱藏效果
ntfs ads

attrib範例
ex:
ATTRIB +S +H file
ATTRIB +H C:file

rootkit
hide processes from the process list, can hide files, registry entries, and intercept keystrokes.
primary objective of a rootkit:It replaces legitimate programs

主要是file、process、system log的隱藏技術,和packet、keylogger的攔截竊聽技術等 
Rootkit技術通過修改這些資料結構來隱藏其它程式的process、file、network communcation和其它相關資訊
ex:
修改OS的EPROCESS連結串列結構可隱藏行程
hook服務呼叫表可隱藏檔案和目錄
hook中斷描述符表可監聽鍵盤輸入
ps:
很多木馬都用這些技術,因此木馬也可視為Rootkit的一種
Rootkit一詞最早出現在Unix上。Attacker為了取得root權限,或清除入侵記錄,會重新compiler一些指令工具,也稱為kit,像是重做ps、netstat、passwd等工具 
rootkit 在unix系統較麻煩,因unix可直接換kernel,可換成含rootkit的kernel,難以偵測

rootkit tool
fu
afx
nuclear
vanquish

rootkit countermeasures
定期備份資料
安裝時做記錄
使用patchfinder
使用 rootkitrevealer

rootkit detection tool:
blacklight
rootkitrevealer
malicious software removal tool
PC Hunter
gMER
Rootkit Unhooker
IceSword
Kernel Detective
XueTr

rootkit detection common function summary for below:
Hidden processes, hidden DLLs, hidden threads, hidden kernel drivers, hidden services, hidden files, and hidden Registry keys
Alternate data stream
Import Address Table (IAT) hooks, Export Address Table (EAT) hooks, and inline hooks
System Service Dispatch Table (SSDT) hooks
Interrupt Descriptor Table (IDT) hooks
Hooked I/O Request Packet (IRP) routines in kernel drivers
Suspicious modifications of the Master Boot Record (MBR)
Suspicious layered drivers or attached devices
Drivers whose entry points land in suspicious PE sections, such as the .rsrc section. This indicates a rootkit may have patched the driver on disk.
Processes with mismatched section permissions (for example, an executable .rdata section)

If a rootkit is discovered
you will need to reload from known good media. This typically means performing a complete reinstall

ADS(alternate data streaming)
作用在NTFS格式上
可hide file
將a檔案附加在b檔案上,而且b檔案大小不變

how to create ntfs steam
1 to move the contents of trojan.exe to readme.txt
ex:type c:trojan.exe > c:readme.txt:trojan.exe
2 to execute the trojan.exe inside readme.txt
ex:start c:readme.txt:trojan.exe
3 extract the trojan.exe from readme.txt
ex:cat c:readme.txt:trojan.exe > trojan.exe

避免ads countermeasures
不使用ntfs,使用fat

ntfs stream detectors tool:
ads spy
ads tools

usb dumper:hacking tool

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………

steganography

hiding of a secret message within an ordinary message and the extration of it at its destination
通常隱藏在圖片中

steganography tool:
特異性高,隱藏資料的工具只有該工具可解
merge streams: 將文字與另外一個檔案合在一起,只能合併word和excel
invisible folders:選擇某一個檔案隱藏
invisible secrets:hide file和unhide file,以及其他功能
image hide
stealth files
steganography
masker steganography tool
hermetic stego
dcpp
camera/shy:藏在gif
www.spammimic.com:online工具,隱藏文字
mp3stego: 利用音樂格式
snow.exe:hide the data on the cd’s and usb flash drivers
fortknox
blindside
s-tools
steghide
steganos
pretty good envelop
gifshuffle
jphide,jpseek
wbstego
outguess
data stash
hydan
cloak
steganote
stegomagic
steganos security suite
sams big play maker
video steganography:將資料放入影像

detect steganography
steganalysis tools
stegdetect:偵測藏在圖片中的隱藏資料
sids(stego intrusion detection system)
high level view
stego watch-steg
stegspy

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………

covering tracks
disabling auditing
ex:auditpol
clearing event log
ex:dumpel

windows log
安全日誌:%winsystem%\system32\config\Secevent.evt
ps:brute force log會在secevent.evt出現
應用程式日誌:%winsystem%\system32\config\AppEvent.evt
系統日誌:%winsystem%\system32\config\SysEvent.evt

tool
elsave.exe:可清 log檔案
winzapper
evidence eliminator:針對歷史記錄做清除,可做非常完整的format
traceless:針對網頁瀏覽記錄
tracks eraser pro
armor tools
zerotrack