Direct Attack ExampleBuffer Overflow is an example of direct attack Web Server Request Passed by the Firewall Reverse Shell is Established Hacker controlled host Internal Network... In-
Trang 1Eth ica l H a ckin g
Ve rs io n 5
Module 24
Trang 2Insider Attacks
¿ Insider attacks are attacks initiated from inside-out
¿ Inside-Out attacks try to initiate network connections from the trusted (corporate) to the untrusted (Internet) network
¿ These techniques are used to evade firewall filters
Trang 3What is Covert Channel?
¿A Covert channel is a mechanism for sending and receiving information data between machines without alerting any firewalls and IDS’s on the network
¿The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through
Trang 4Security Breach
¿ A covert channel has a security breach because it
involves a trusted insider who is sending information to
an unauthorized outsider in a covert fashion
¿ For example, an employee wants to let an outsider
know if his company won a big contract
this information secretly
Trang 5Why Do You Want to Use Covert Channel?
¿ Transfer a file from a Victim machine to a hacker
machine
¿ Transfer a file from hacker machine to victim machine
¿ Interactive remote control access from hacker machine to victim machine
¿ Bypass any corporate filtered firewall rules
¿ Bypass corporate proxy server content filters
Trang 6Motivation of a Firewall Bypass?
• Surfing to filtered websites (e.g www.certifiedhacker.com)
• Listening Internet radio
• Chatting to Internet friends
• Administration of home webservers via SSH
• Uploading and downloading of special files (EXE, ZIP) which are filtered by the corporate content filter policy
• Using peer-to-peer techniques
• Advanced users from the internal network
• Disgruntled employees
• Hackers
Trang 7Covert Channels Scope
Trang 8Covert Channel: Attack Techniques
internet-allowed protocol
internet allowed protocol
assigned
Trang 9Simple Covert Attacks
¿ Simple covert attacks use direct channels to communicate to the Internet
• TCP tunnel (pop, telnet, ssh)
Trang 10Simple Covert Attacks
Attacker
Trang 11Advanced Covert Attacks
¿ Advanced covert attacks use proxified channels to communicate on the Internet
• Mail tunnel
Trang 12Advanced Covert Attacks
Attacker
LAN Proxy
Trang 13Standard Direct Connection
Victim Server Attacker
Trang 14Reverse Shell (Reverse Telnet)
Victim Server Attacker
Trang 15Direct Attack Example
Buffer Overflow is an example of direct attack
Web Server Request Passed by the Firewall
Reverse Shell is Established
Hacker controlled host Internal
Network
Trang 16In-Direct Attack Example
Port Blocked by Firewall
INSIDER Remote Control
Indirect Attack
Web Server Request BLOCKED by the Firewall
Reverse Shell is Established
Hacker controlled host Internal
Network
Trang 17Reverse Connecting Agents
¿ Reverse connecting agents can be installed by:
• ZIP drives
Trang 18Covert Channel Attack Tools
Trang 20DNS Tunneling
the server wants to connect it responds with a 'key' IP address The client then starts a shell in a pipe and feeds the output of the shell (in the form of DNS queries) to the server
Trang 21Covert Channel Using DNS Tunneling
Trang 22DNS Tunnel Client
a tunnel to the DNS Tunnel Server which is located on the Internet
to remote control your computer over the web site of the DNS Tunnel Server
Trang 23DNS Tunneling Countermeasures
¿ Apply Firewall rule: Allow DNS from internal http proxy servers only
¿ Apply Firewall rule: Deny all other DNS packets
Trang 24Covert Channel Using SSH
inside-out
Trang 25Covert Channel using SSH (Advanced)
¿ Use SSL if proxy server is used internally and content filtering is enabled
Trang 262 SSH is established from the web server to hacker machine
Victim
HTTP Proxy Http, https, ftp
Trang 27Covert Channel Hacking Tool: Active Port Forwarder
It uses SSL to increase security of communication between a server and a client
Trang 28Covert Channel Hacking Tool: CCTT
¿ CCTT (Covert Channel Tunneling Tool) enables the creation of
communication channels through NACS to create data streams which can :
server
streams (ssh, smtp, pop, etc ) between an external server and a box from within the internal network
Trang 29Covert Channel Hacking Tool: Firepass
¿ Firepass - is a tunneling tool, allowing to bypass firewall restrictions and encapsulate data flows inside legal ones
to use HTTP POST requests
Firepass
Trang 30Covert Channel Hacking Tool: MsnShell
computer protected by a firewall
• Establish a shell from a box located within the internal network to an external server
• Encapsulate shell commands and responses within the MSN protocol (SHELL over MSN)
• Supports HTTP proxy (SHELL over MSN over HTTP)
Trang 31Covert Channel Hacking Tool: Web Shell
¿ "Web Shell" is a remote UNIX/WIN shell, that tunnels packets via
HTTP/HTTPS
¿ The client component provides shell-like prompt, encapsulating user
commands into HTTP POST requests and sending them to the server part script on the target web server directly or via HTTP proxy server
¿ The server part extracts and executes commands from HTTP post requests and returns STDOUT and STDERR output as HTTP response messages
• SSL support
• Command line history support
• File upload/download
Trang 32Covert Channel Hacking Tool: NCovert
function as a TCP covert channel
¿ It is a file transfer system that uses the TCP protocol to covertly move data from one system to another
¿ NCovert uses spoofing techniques to hide the source of communications and the data that travels over the
network
¿ The technique essentially creates a covert channel for communications by hiding four characters of data in the header's initial sequence number (ISN) field
Trang 33Ncovert - How it works
public server, forges source IP as receiver's IP
Trang 34Ncovert2 - How it works - Part 1
port from SHA-1 and session key
source port file size in ISN
port 80
SHA-1 hash
Trang 35Ncovert2 - How it works - Part 2
ISN, creates a packet with a random IP ID, the “predictable” source port, and new ISN, and sends the packet
repeating as needed
destination ports, uses previous ISN and session hash to extract data
addresses can be changed to something “random”, including decoy packets
Trang 36Covert Channel Hacking via Spam E-mail
Messages
difficult to detect because of the means of delivery
the back door system, the email appears to be ordinary spam
¿ This text can be varied by attacker specification
¿ This makes detection via standard intrusion detection methods virtually impossible
information by simply sending spam e-mail messages
Trang 37Covert Channel Hacking via Spam E-mail Messages
Trang 38into an application without altering the file size
¿ It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions It then encodes information in machine code by using the appropriate
instructions from each set
¿ This tool can be used for covert communication