Module 3 Concealment and Log Alteration - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Module 3 Concealment and Log Alteration

Description:

Module 3. Concealment and Log Alteration. Highline Community College ... Concealment using 'Rootkits' Replacement of operating system commands or system calls ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 35
Provided by: APHI3
Category:

less

Transcript and Presenter's Notes

Title: Module 3 Concealment and Log Alteration


1
Module 3Concealment and Log Alteration
Highline Community College Seattle University
University of Washington in conjunction
with the National Science Foundation
2
Topics
  • Hexadecimal ASCII/numeric data
  • Alteration of logs
  • Examples

3
ASCII text file
  • cat hexcharacters.txt
  • 0123456789ABCDEF
  • 0123456789ABCDEF
  • 0123456789ABCDEF
  • 0123456789ABCDEF
  • 0123456789ABCDEF
  • 0123456789ABCDEF

4
man ascii
  • NAME
  • ascii - octal, hexadecimal and decimal ASCII
    character sets
  • DESCRIPTION
  • The hexadecimal set
  • 00 nul 01 soh 02 stx 03 etx 04 eot
    05 enq 06 ack 07 bel
  • 08 bs 09 ht 0a nl 0b vt 0c np
    0d cr 0e so 0f si
  • 10 dle 11 dc1 12 dc2 13 dc3 14 dc4
    15 nak 16 syn 17 etb
  • 18 can 19 em 1a sub 1b esc 1c fs
    1d gs 1e rs 1f us
  • 20 sp 21 ! 22 " 23 24
    25 26 27 '
  • 28 ( 29 ) 2a 2b 2c ,
    2d - 2e . 2f /
  • 30 0 31 1 32 2 33 3 34 4
    35 5 36 6 37 7
  • 38 8 39 9 3a 3b 3c lt
    3d 3e gt 3f ?
  • 40 _at_ 41 A 42 B 43 C 44 D
    45 E 46 F 47 G
  • 48 H 49 I 4a J 4b K 4c L
    4d M 4e N 4f O
  • 50 P 51 Q 52 R 53 S 54 T
    55 U 56 V 57 W

5
Hexadecimal (base16) dump
  • hexdump -C hexcharacters.txt
  • 00000000 30 31 32 33 34 35 36 37 38 39 41 42 43
    44 45 46 0123456789ABCDEF
  • 00000010 0a 30 31 32 33 34 35 36 37 38 39 41 42
    43 44 45 .0123456789ABCDE
  • 00000020 46 0a 30 31 32 33 34 35 36 37 38 39 41
    42 43 44 F.0123456789ABCD
  • 00000030 45 46 0a 30 31 32 33 34 35 36 37 38 39
    41 42 43 EF.0123456789ABC
  • 00000040 44 45 46 0a 30 31 32 33 34 35 36 37 38
    39 41 42 DEF.0123456789AB
  • 00000050 43 44 45 46 0a 30 31 32 33 34 35 36 37
    38 39 41 CDEF.0123456789A
  • 00000060 42 43 44 45 46 0a
    BCDEF.
  • 00000066

6
Concealment using "Rootkits"
  • Replacement of operating system commands or
    system calls
  • Two fundamental types
  • Application (User) Level
  • Kernel Level
  • Configuration file(s) to control hiding
  • Often simple to identify/bypass, but can be very
    difficult to detect/disablehttp//staff.washingt
    on.edu/dittrich/misc/faqs/rootkits.faq

7
Alteration of logs
  • Types of logs
  • Ways to clean logs
  • Disable logging for future

8
Types of logs
  • Text
  • Unix syslog
  • Apache access logs
  • Binary
  • Unix utmp/wtmp/lastlog
  • Windows Event logs

9
Ways to clean logs
  • Delete (or shred)
  • Filter Delete
  • Edit in place

10
Disable logging
  • Kill syslogd
  • Link log files to /dev/null
  • Edit/delete syslog configuration file
  • Fill partition containing log files

11
Deleting login entries from Unix wtmp
  • How does wtmp logging work?
  • Examples
  • Using wzap
  • Using wipe
  • Using marry

12
How does wtmp logging work?
  • Definition of wtmp entryFrom /usr/include/bits/ut
    mp.h

UT_LINESIZE is 32 bytes UT_NAMESIZE is 32
bytes UT_HOSTSIZE is 256 bytes . . .
13
UT_LINESIZE is 32 bytes UT_NAMESIZE is 32
bytes UT_HOSTSIZE is 256 bytes / The
structure describing an entry in the user
accounting database. / struct utmp short
int ut_type / Type of login. /
pid_t ut_pid / Process ID of
login process. / char ut_lineUT_LINESIZE
/ Devicename. / char ut_id4
/ Inittab ID. / char ut_userUT_NAMESIZE
/ Username. / char ut_hostUT_HOSTSIZE
/ Hostname for remote login. / struct
exit_status ut_exit / Exit status of a
process marked
as DEAD_PROCESS. / long int ut_session
/ Session ID, used for windowing. /
struct timeval ut_tv / Time entry was
made. / int32_t ut_addr_v64 /
Internet address of remote host. / char
__unused20 / Reserved for future
use. /
14
Output of last
  • reboot system boot 2.4.2-2 Fri Aug
    24 1113 (0153)
  • ftp ftpd12458 localhost.locald Fri Aug
    24 0945 - 0946 (0000)
  • dittrich pts/1 Fri Aug
    24 0945 - down (0125)
  • ftp ftpd12433 localhost.locald Fri Aug
    24 0943 - 0944 (0000)
  • dittrich pts/0 Fri Aug
    24 0928 - down (0142)
  • dittrich 0 Fri Aug
    24 0928 - down (0142)
  • dittrich pts/0 Fri Aug
    24 0924 - 0928 (0003)
  • dittrich pts/6 Sun Aug
    19 1143 - 1345 (20202)
  • dittrich pts/1 Sun Aug
    19 0132 - 1327 (21154)
  • dittrich pts/5 Sun Aug
    19 0126 - 0923 (50756)
  • dittrich pts/4 Sun Aug
    19 0123 - 0923 (50800)
  • dittrich pts/0 Sun Aug
    19 0119 - 0924 (50804)
  • dittrich pts/6 Sat Aug
    18 2126 - 0118 (0352)
  • dittrich pts/5 Sat Aug
    18 2116 - 0119 (0402)
  • dittrich pts/4 Sat Aug
    18 2114 - 0119 (0404)
  • dittrich pts/3 Sat Aug
    18 1515 - 0924 (51808)
  • dittrich pts/1 Sat Aug
    18 1321 - 0132 (1211)
  • dittrich pts/2 Sun Aug
    5 1549 - 2113 (130524)
  • dittrich pts/0 Sun Aug
    5 1540 - 0118 (130938)

15
Hex dump of wtmp file
  • 0000000 0700 0000 e404 0000 7074 732f 3000 0000
    ........pts/0...
  • 0000010 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 0000020 0000 0000 0000 0000 2f30 0000 6469 7474
    ......../0..ditt
  • 0000030 7269 6368 0000 0000 0000 0000 0000 0000
    rich............
  • 0000040 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 0000050 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • . . .
  • 0000140 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 0000150 0000 0000 45cb 6d3b 8325 0a00 0000 0000
    ....E.m.......
  • 0000160 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 0000170 0000 0000 0000 0000 0000 0000 0000 0000
    ................

16
  • 0000000 0700 0000 e404 0000 7074 732f 3000 0000
    ........pts/0...
  • -type-- --pid-- ------------------
  • 0000010 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • -------------device name---------------
  • 0000020 0000 0000 0000 0000 2f30 0000 6469 7474
    ......../0..ditt
  • ------------------ ---id-- --------
  • 0000030 7269 6368 0000 0000 0000 0000 0000 0000
    rich............
  • --------------username-----------------
  • 0000040 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • ---------------------------- --------
  • . . .
  • 0000140 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • ---------------hostname----- --exit--
  • 0000150 0000 0000 45cb 6d3b 8325 0a00 0000 0000
    ....E.m.......
  • -------- ------time------- --------
  • 0000160 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • ---------IP address--------- --------
  • 0000170 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • ------------reserved------------------

17
t0rnkit wzap
  • Section of t0rn script that calls wzap
  • . . .
  • mv wzap /var/log
  • cd /var/log
  • ./wzap ftp
  • mv wtmp.out wtmp
  • rm -rf /var/log/wzap
  • . . .

18
t0rnkit wzap in use
  • ltrace while running wzap

19
  • __libc_start_main(0x080485c0, 2, 0xbffff8ec,
    0x080483fc,0x0804876c ltunfinished ...gt
  • __register_frame_info(0x08049884, 0x08049980,
    0xbffff8a0,0x08048421, 0x4014a9e4) 0x4014b5e0
  • strcpy(0xbffff86c, "ftp")
    0xbffff86c
  • printf("\nopening file...\n")
    17
  • fopen("wtmp", "r")
    0x08049b30
  • printf("opening output file...\n")
    23
  • fopen("wtmp.out", "wr")
    0x08049ca0
  • printf("working...\n")
    11
  • feof(0x08049b30)
    0
  • fread(0x080499a0, 384, 1, 0x08049b30)
    1
  • strncmp("dittrich", "ftp", 8)
    -2
  • fwrite("\007", 384, 1, 0x08049ca0)
    1
  • feof(0x08049b30)
    0
  • . . .

20
  • . . .
  • fread(0x080499a0, 384, 1, 0x08049b30)
    1
  • strncmp("ftp", "ftp", 8)
    0
  • feof(0x08049b30)
    0
  • fread(0x080499a0, 384, 1, 0x08049b30)
    1
  • strncmp("", "ftp", 8)
    -102
  • fwrite("", 384, 1, 0x08049ca0)
    1
  • feof(0x08049b30)
    0
  • fread(0x080499a0, 384, 1, 0x08049b30)
    1
  • . . .

21
wtmp before wzap
  • dittrich pts/3 Fri Aug 24
    1319 - 1330 (0010)
  • dittrich pts/0 Fri Aug 24
    1319 still logged in
  • dittrich pts/1 Fri Aug 24
    1319 - 2149 (50829)
  • dittrich pts/2 Fri Aug 24
    1319 - 1557 (0237)
  • dittrich 0 Fri Aug 24
    1319 still logged in
  • reboot system boot 2.4.2-2 Fri Aug 24
    1318 (110933)
  • root tty1 Fri Aug 24
    1317 - down (0000)
  • dittrich 0 Fri Aug 24
    1316 - down (0000)
  • root tty2 Fri Aug 24
    1310 - 1316 (0005)
  • root tty1 Fri Aug 24
    1310 - 1316 (0006)
  • reboot system boot 2.4.2-2 Fri Aug 24
    1308 (0008)
  • dittrich pts/1 Fri Aug 24
    1135 - down (0130)
  • dittrich pts/0 Fri Aug 24
    1135 - down (0130)
  • dittrich 0 Fri Aug 24
    1135 - down (0130)
  • reboot system boot 2.4.2-2 Fri Aug 24
    1113 (0153)
  • ftp ftpd12458 localhost.locald Fri Aug 24
    0945 - 0946 (0000)
  • dittrich pts/1 Fri Aug 24
    0945 - down (0125)
  • ftp ftpd12433 localhost.locald Fri Aug 24
    0943 - 0944 (0000)
  • dittrich pts/0 Fri Aug 24
    0928 - down (0142)

22
wtmp after wzap
  • dittrich pts/3 Fri Aug 24
    1319 - 1330 (0010)
  • dittrich pts/0 Fri Aug 24
    1319 still logged in
  • dittrich pts/1 Fri Aug 24
    1319 - 2149 (50829)
  • dittrich pts/2 Fri Aug 24
    1319 - 1557 (0237)
  • dittrich 0 Fri Aug 24
    1319 still logged in
  • reboot system boot 2.4.2-2 Fri Aug 24
    1318 (110933)
  • root tty1 Fri Aug 24
    1317 - down (0000)
  • dittrich 0 Fri Aug 24
    1316 - down (0000)
  • root tty2 Fri Aug 24
    1310 - 1316 (0005)
  • root tty1 Fri Aug 24
    1310 - 1316 (0006)
  • reboot system boot 2.4.2-2 Fri Aug 24
    1308 (0008)
  • dittrich pts/1 Fri Aug 24
    1135 - down (0130)
  • dittrich pts/0 Fri Aug 24
    1135 - down (0130)
  • dittrich 0 Fri Aug 24
    1135 - down (0130)
  • reboot system boot 2.4.2-2 Fri Aug 24
    1113 (0153)
  • dittrich pts/1 Fri Aug 24
    0945 - down (0125)
  • dittrich pts/0 Fri Aug 24
    0928 - down (0142)
  • dittrich 0 Fri Aug 24
    0928 - down (0142)
  • wtmp begins Sun Aug 5 154005 2001

23
t0rnkit wzap in use
  • wzap must be run in /var/log
  • wzap copied to /var and deleted
  • (Can be recovered from /var)
  • wtmp file cleaned properly, but not in place
  • Original wtmp deleted
  • (Can be recovered from /var)

24
wipe features
  • USAGE wipe uwla ...options...
  • UTMP editing
  • Erase all usernames wipe u
    username
  • Erase one username on tty wipe u
    username tty
  • WTMP editing
  • Erase last entry for user wipe w
    username
  • Erase last entry on tty wipe w
    username tty
  • LASTLOG editing
  • Blank lastlog for user wipe l
    username
  • Alter lastlog entry wipe l
    username tty time host
  • Where time is in the format
    YYMMddhhmm
  • ACCT editing
  • Erase acct entries on tty wipe a
    username tty

25
wipe in use (ltrace output)
  • . . .
  • printf("Patching s .... ", "/var/log/wtmp")
    28
  • fflush(0x0804a9d0)
    0
  • open("/var/log/wtmp", 2, 03766)
    3
  • lseek(3, -384, 2, 2038, 0x4003670e)
    68736
  • read(3, "\007", 384)
    384
  • strlen(0xbffffbbc, 7, 15576, 0x2f737470, 51)
    3
  • strncmp("dittrich", "ftp", 3)
    -2
  • . . .
  • strlen(0xbffffbbc, 0x08090968, 0, 0x64707466,
    0x33343231) 3
  • strncmp("ftp", "ftp", 3)
    0
  • bzero(0xbffff8e8, 384)
    ltvoidgt
  • lseek(3, -384, 1, 0, 0)
    11520
  • write(3, "", 384)
    384
  • close(3)
    0
  • printf("Done.\n")
    6
  • exit(0)
    ltvoidgt
  • exited (status 0)

26
wipe in use
  • Original
  • 0003180 8009 0908 0000 0000 6674 7064 3132 3435
    ........ftpd1245
  • 0003190 3800 0000 0000 0000 0000 0000 0000 0000
    8...............
  • 00031a0 0000 0000 0000 0000 78d8 ffbf 6674 7000
    ........x...ftp.
  • After wipe
  • 0003180 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 0003190 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 00031a0 0000 0000 0000 0000 0000 0000 0000 0000
    ................

27
wipe in use
  • Original
  • 00031c0 0000 0000 0000 0000 0000 0000 6c6f 6361
    ............loca
  • 00031d0 6c68 6f73 742e 6c6f 6361 6c64 6f6d 6169
    lhost.localdomai
  • 00031e0 6e00 0000 0000 0000 0000 0000 0000 0000
    n...............
  • After wipe
  • 00031c0 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 00031d0 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 00031e0 0000 0000 0000 0000 0000 0000 0000 0000
    ................

28
wipe in use
  • Original
  • 00032d0 0000 0000 b884 836b 207a 1040 1140 1410
    ....... z._at_._at_._at_
  • 00032e0 c0d9 ffbf 0000 0040 20d9 f0fb fe3d 1040
    ......._at_ ....._at_
  • 00032f0 9700 0000 99fc 14a0 10ef fbfe f3fe f35f
    ......._at_.......
  • After wipe
  • 00032d0 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 00032e0 0000 0000 0000 0000 0000 0000 0000 0000
    ................
  • 00032f0 0000 0000 0000 0000 0000 0000 0000 0000
    ................

29
wipe in use
  • Original wtmp edited in place
  • wtmp file left with zeroed areas
  • wipe may still be in file system somewhere
    (anywhere)

30
marry.c features
  • Convert wtmp/utmp/lastlog to text
  • Invokes editor on converted file
  • Re-writes original in-situ
  • Has other "stealth" features

31
Example marry.dmp file
  • 00000 dittrich pts/1 ts/1 7 9286
    20010502225034 10.0.0.1 hostname
  • 00001 "" pts/1 "" 8 9285
    20010502231052 0.0.0.0 ""
  • 00002 dittrich pts/1 ts/1 7 11320
    20010503103800 10.0.0.1 hostname
  • 00003 "" pts/1 "" 8 11317
    20010503104241 0.0.0.0 ""
  • 00004 dittrich pts/1 /1 7 25438
    20010505172540 0.0.0.0 ""
  • 00005 "" pts/8 "" 8 26600
    20010505182523 0.0.0.0 ""
  • 00006 dittrich pts/4 ts/4 7 3332
    20010508111744 10.0.0.1 hostname
  • 00007 "" pts/4 "" 8 3331
    20010508115759 0.0.0.0 ""
  • 00008 dittrich pts/4 /4 7 5038
    20010508230648 0.0.0.0 ""
  • 00009 dittrich pts/6 ts/6 7 7136
    20010509110712 10.0.0.1 hostname
  • 0000a "" pts/6 "" 8 7135
    20010509121218 0.0.0.0 ""
  • 0000b dittrich pts/6 ts/6 7 7637
    20010509143847 10.0.0.1 hostname
  • 0000c "" pts/6 "" 8 7636
    20010509144014 0.0.0.0 ""
  • 0000d dittrich pts/6 ts/6 7 7807
    20010509154348 10.0.0.1 hostname
  • 0000e "" pts/6 "" 8 7806
    20010509232823 0.0.0.0 ""
  • 0000f "" "" si 8 9
    20010510084158 0.0.0.0 2.4.9-12custom
  • 00010 reboot 2 0
    20010510084158 0.0.0.0 2.4.9-12custom
  • 00011 runlevel 1 20021
    20010510084158 0.0.0.0 2.4.9-12custom

32
marry in use on wipe cleaned log file
  • 00407 "" ttyp0 p0 8 0
    20010708003633 0.0.0.0 0
  • 00408 "" "" "" 0 0
    19691231160000 0.0.0.0 ""
  • 00409 "" "" "" 0 0
    19691231160000 0.0.0.0 ""
  • 0040a "" "" "" 0 0
    19691231160000 0.0.0.0 ""
  • 0040b "" "" "" 0 0
    19691231160000 0.0.0.0 ""
  • 0040c "" "" "" 0 0
    19691231160000 0.0.0.0 ""
  • 0040d "" pts/1 "" 8 1755
    20010708163736 0.0.0.0 ""
  • 0040e "" "" "" 0 0
    19691231160000 0.0.0.0 ""
  • 0040f "" "" "" 0 0
    19691231160000 0.0.0.0 ""
  • 00410 "" pts/1 "" 8 1968
    20010708195947 0.0.0.0 ""
  • 00411 root pts/1 /1 7 2244
    20010708200833 0.0.0.0 ""
  • 00412 root pts/2 /2 7 2285
    20010708201005 0.0.0.0 ""
  • 00413 root pts/1 /1 8 2244
    20010708201551 0.0.0.0 ""
  • 00414 root pts/2 /2 8 2285
    20010708201554 0.0.0.0 ""
  • 00415 root pts/1 /1 7 2348
    20010708201558 0.0.0.0 ""
  • 00416 root pts/1 /1 8 2348
    20010708204818 0.0.0.0 ""
  • 00417 root pts/0 /0 8 1204
    20010708204833 0.0.0.0 ""
  • 00418 root pts/0 /0 7 3459
    20010708213206 0.0.0.0 ""
  • 00419 root pts/1 /1 7 3855
    20010708214424 0.0.0.0 ""

33
Countering concealment
  • Look for ways around rootkits
  • Alternate commands
  • Analysis kits
  • Look for corroborating evidence
  • Other logs (e.g., ssh logins, su logs)
  • Active/deleted file metadata
  • Deleted file contents (esp. sniffer logs!)
  • Look for second sources (external)
  • Network traffic flows
  • Logs on servers
  • Logins to/from other hosts

34
Conclusions
  • You can't trust what you see
  • ...or what you don't see
  • You can find (most) answers
  • ...but you have to look hard
  • We know Tools Are Good!
  • ...but what tools DONT we know about?
Write a Comment
User Comments (0)
About PowerShow.com