Notes
Outline
Chapter 11  Phase 5: 
Covering Tracks and Hiding
Attrition Web Site
Contains an archive of Web vandalism attacks http://www.attrition.org/mirror/attrition
Hiding Evidence by
Altering Event Logs
Attackers like to remove evidence from logs associated with attacker’s gaining access, elevating privileges,and installing RootKits and backdoors
Login records
Stopped and restarted services
File access/update times
Event Logging in Windows NT/2000
Security-related events such as failed login attempts or failed access to files are stored in file SecEvent.Evt
System events such as inability in starting a system service are stored in file SysEvent.Evt
Application events related to applications such as databases or web servers are stored in file AppEvent.Evt
Figure 11.1 Windows NT Event Viewer
Altering Event Logs in
Windows NT/2000
opening or editing event log files cannot be done with a standard file editing tool
Deleting event log files possible but may cause suspicion
WinZapper tool allows attacker to selectively delete security events
    http://ntsecurity.nu/toolbox/winzapper
Figure 11.2 WinZapper tool lets an attacker selectively delete events from Windows NT/2000 event logs
Altering System Logs in Unix
Unix log files are stored in files specified in /etc/syslog.conf (eg. /var/adm/messages)
Attackers can alter log files via editors such as vi or emacs
Altering Accounting Files in Unix
utmp, wtmp, and lastlog files are the main accounting files in Unix
Written in special binary format
Can be edited using tools such as remove, wtmped, marry, cloak, logwedit, wzap, and zapper
 http://ftp.technotronic.com/unix/log-tools
Tools included in RootKits
Unix Shell History Files
stores a complete list of all commands entered by the user at the Unix command prompt
Usually stored in users’ home directories
Attacker may configure the length of the shell history file to be zero but may raise suspicion
Careful attacker will remove unwanted lines from the history file via ASCII editor
Defenses for Log and
Accounting File Attacks
Activate logging on your critical systems
Set proper permissions on the log files, utmp, wtmp, lastlog, and users’ shell history files
Setup a a separate logging server
Add line “syslog  514/udp”  to  /etc/services on logging server
Modify /etc/syslog.conf on critical server  to redirect desired message types to logging server
Hostname and IP address of logging server should be added to  /etc/hosts on critical server to thwart DNS attack
In Windows NT/2000, replace EventLog service with an NT-compatible version of syslog to centralize logging
Kiwi syslog for NT http://www.kiwi-enterprises.com
Defenses for Log and
Accounting File Attacks (cont.)
Encrypt log files http://www.core-sdi.com/english/freesoft.html
On Linux systems, make log files append only
  $ chattr   +a   [log_filename]
Store logs on write-once media such as     CD-ROM
Creating Hidden Files and Directories in UNIX
Creating Hidden Files in
Windows NT/2000
Right-click on file or directory in Windows Explorer and selecting “properties”
Showing Hidden Files in
Windows NT and Windows 2000
On WinNT’s Windows Explorer, click on “view” menu to show all files
in Win2000’s Windows Explorer, click on folder options
Hiding Information in
Windows NT/2000
NTFS allows every file to have multiple streams of data associated with it
The normal contents of a file that can be seen and accessed by users is a stream itself
Other  data can be attached and hidden as separate stream using “cp” program in Windows NT Resource Kit
C:\>  cp stuff.txt notepad.exe:data
C:\>  erase stuff.txt
C:\>  notepad.exe
C:\>  cp notepad.exe:data   stuff.txt
Defenses from Hidden Files
Use file integrity checking tools such as Tripwire to check contents of files and directories to verify that no additional data, files or directories have been hidden in them
Use host-based IDS tools and anti-virus tools to check for presence of hidden file and generate alert message
Covert Channels
Communication channels that disguises data while it moves across the network to avoid detection
Require a client and server
Can be used to remotely control a machine and to secretly transfer files or applications
Figure 11.5  A covert channel
between a client and a server
Techniques Used to Get a
Covert Channel Server Installed
Perform a buffer overflow on victim and install a backdoor
Email an unsuspecting user an executable which installs a covert channel server
Install covert channel as a contractor or employee with administrative privilege
Tunneling
Carrying one protocol inside another protocol
Eg. Tunneling AppleTalk traffic over IP
Any communications protocol can be  used to transmit another protocol
SSH protocol used to carry telnet, FTP, or X-Windows session
Used by covert channels
Loki
Reverse WWW Shell
Loki
Covert channel using ICMP as a tunnel to carry interactive communication with a backdoor listener
More stealthy and difficult to detect than other backdoor programs that listen on a given TCP/UDP port
Description and source code available at http://phrack.com
Loki client wraps up attacker’s commands in ICMP and transmits them to the Loki server (lokid)
Loki server upwraps the commands, executes them and wraps the responses up in ICMP packets
Lokid must be run with root privilege
Figure 11.6  Loki hides data
inside ICMP messages
Loki (cont.)
can only be detected via the presence of Loki daemon  process running as root on the victim and the presence of bidirectional ICMP traffic
Can disguise its packets as DNS queries and responses by running over UDP port 53
Supports protocol-switching by typing “/swapt” on client  to toggle between ICMP and UDP port 53
Supports encryption of  ICMP payload information
Reverse WWW Shell
Uses HHTP as a covert channel
Allows an attacker to remotely access a victim machine with a command-line prompt
A Reverse WWW Shell server and Perl interpreter must be installed on the victim machine
A Reverse WWW Shell master software and Perl interpreter must be installed on the attacker’s machine
Can sneak past firewall
Perl code available at http://thc.pimmel.com
Reverse WWW Shell (cont.)
Every minute, Reverse WWW Shell server will contact the master to retrieve commands issued by the attacker
Reverse WWW Shell server executes the commands,  sends the results to Reverse WWW Shell master (via http request), and retrieves the next command (via http reply)
Victim machine appears to be a web client sending HHTP Get commands while attacker’s machine appears to be a web server
Figure 11.7  Reverse WWW Shell looks like outgoing Web access, but is really incoming shell access
Protocols used for
Covert Channels
ICMP
HTTP
Telnet
SMTP
FTP
Streaming audio
SSH
Covert_TCP
http://www.psionic.com/papers/covert
Uses TCP and IP headers to create covert channels
Data can be hidden in various fields
IP Identification field
One character embedded per packet
TCP sequence number
One character embedded per SYN request and Reset packets
TCP acknowledgement number
One hidden character per packet is relayed by a  “bounce” server
Can send data over any TCP source/destination ports
Can bypass firewall if use ports such as 25 or 53
Figure 11.8  The IP and TCP headers
Figure 11.9  Using Covert_TCP with a bounce server
Defenses against
Covert Channels
Don’t let attacker get root or administrator access on hosts
Harden OS
Install latest security patches
Install network IDS
Loki and other covert channels can be detected by Snort