Linux Forensics. Newbug Tseng Oct

Transcription

1 Linux Forensics Newbug Tseng Oct

2 Contents Are u ready Go Real World Exploit Attack Detect

3 Are u ready

4 Linux File Permission OWNER GROUP OTHER R R R W SUID on exection 4000 X W SGID on execution 2000 X W Sticky bit 1000 X

5 File Information man 2 stat struct stat { dev_t ino_t mode_t nlink_t uid_t gid_t dev_t off_t blksize_t blkcnt_t time_t time_t time_t }; st_dev; /* device */ st_ino; /* inode */ st_mode; /* protection */ st_nlink; /* number of hard links */ st_uid; /* user ID of owner */ st_gid; /* group ID of owner */ st_rdev; /* device type (if inode device) */ st_size; /* total size, in bytes */ st_blksize; /* blocksize for filesystem I/O */ st_blocks; /* number of blocks allocated */ st_atime; /* time of last access */ st_mtime; /* time of last modification */ st_ctime; /* time of last status change */

6 Go

7 Exploit Exploit: 1. A way of breaking into a system. 2 An exploit takes advantage of a weakness in a system in order to hack it.

8 Memory Layout Memory layout of a linux process

9 Stack Layout Low memory High memory a typical stack region

10 Stack Overflow

11 Stack Overflow (cont.)

12 Stack Overflow (cont.) Before overflow After overflow

13 Assembly Registers 32 bits EAX EBX ECX EDX 16 bits AX BX CX DX Intel-x86 8 bits (high) AH BH CH DH 8 bits (low) AL BL CL DL

14 Assembly (cont.) MOV move a value in a register. mov $0x4, %al mov %eax, %ebx PUSH Put a value in the stack POP Get a value from the stack and store it in a register of in a variable INT interrupt call int $0x80 it gives the control to the kernel

15 Shellcode

16 Shellcode (cont.)

17 Shellcode (cont.)

18 Shellcode (cont.)

19 Shellcode (cont.) Find System call number grep write /usr/include/asm/unistd.h #define NR_write 4 Find System call arguments ssize_t write(int fd, const void *buf, size_t count); eax == write syscall no. ebx == fd ecx == address of buf edx == write length

20 Shellcode (cont.)

21 Shellcode (cont.)

22 Shellcode (cont.)

23 Simple Exploit

24 Simple Exploit (cont.)

25 Simple Exploit (cont.) General Overflow technique: 1. Stack based. 2. Heap based. 3. Format string.

26 Simple Exploit (cont.) By pass technique 1. ret-into-libc. 2. etc

27 Real World Exploit

28 Cdrecord Problem Description: Max Vozeler found that the cdrecord program, which is suid root, fails to drop euid=0 when it exec()s a program specified by the user through the $RSH environment variable. This can be abused by a local attacker to obtain root privileges.

29 Cdrecord (cont.)

30 Samba Problem Description: The problem is that an anonymous user can gain remote root access due to a buffer overflow vulnerability caused by a StrnCpy () into a character array fname using a non-constant length namelen : line 252 of smbd/trans2.c StrnCpy(fname,pname,namelen);

31 Samba (cont.)

32 Samba (cont.)

33 Samba (cont.)

34 Ptrace/kmod Problem Description: When a process requests a feature which is in a module, the kernel spawns a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe") The problem is that before the euid change the child process can be attached to with ptrace(). Game over, the user can insert any code into a process which will be run with the superuser privileges.

35 Ptrace/kmod (cont.)

36 Ptrace/kmod (cont.)

37 mremap Problem Description A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return value check.

38 mremap (cont.)

39 Attack

40 Before Attack Lock on Target / Just attack Collect information Vulnerability ( nessus / nmap etc) Remote Service Attack ( gain shell / DoS )

41 DNS Zone Transfer

42 Whois

43 Nmap

44 Nessus

45 Nessus (cont.)

46 Nessus (cont.)

47 Nessus (cont.)

48 Nessus (cont.)

49 After Local 0wn3d Password save / crack Hidden Yourself Backdoor Find sensitive information Find the way to intranet Find other targets Etc

50 Rip the password

51 Hide Yourself

52 Hide Yourself (cont.)

53 Hide Yourself (cont.)

54 Hide Yourself (cont.)

55 Hide Yourself (cont.) Others: All log in /var/log

56 B4ckd00r Suid Shell

57 B4ckd00r (cont.)

58 B4ckd00r (cont.) Bind Port

59 B4ckd00r (cont.)

60 B4ckd00r (cont.) Reverse connection backdoor

61 B4ckd00r (cont.)

62 B4ckd00r (cont.) Kernel b4ckd00r adore

63 B4ckd00r (cont.)

64 B4ckd00r (cont.)

65 B4ckd00r (cont.)

66 B4ckd00r (cont.)

67 B4ckd00r (cont.) Others ( icmp/telnetd/xinetd/portmap etc. )

68 Sniffer NIC turn to Promiscous Mode

69 Detect

70 DETECT User Indications Failed log-in attempts Log-ins to accounts that have not been used for an extended period of time Log-ins during hours other than non-working hours The presence of new user accounts that were not created by the system administrator su entries or logins from strange places, as well as repeated failed attempts

71 DETECT System Indications Modifications to system software and configuration files Gaps in system accounting that indicate that no activity has occurred for a long period of time Unusually slow system performance System crashes or reboots Short or incomplete logs Logs containing strange timestamps Logs with incorrect permissions or ownership Missing logs Abnormal system performance Unfamiliar processes Unusual graphic displays or text messages.

72 Netstat SYN scan

73 IPLog What is IPLog? iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic. Needed packages libpcap --

74 IPLog (cont.) Install

75 IPLog (cont.) Nmap SYN scan

76 IPLog (cont.) Nmap FIN scan

77 IPLog (cont.) Nmap Xmas scan

78 IPLog (cont.) Nmap null scan

79 IPLog (cont.) Nessus scan

80 Analyze logfiles ~/.bash_history

81 Analyze logfiles (cont.) /var/log/sudo.log

82 Analyze logfiles (cont.) /var/log/auth.log

83 Analyze logfiles (cont.) /var/log/messages

84 Analyze logfiles (cont.) /var/log/secure

85 Analyze logfiles (cont.) /var/log/xferlog

86 Analyze logfiles (cont.) /var/log/samba/*

87 Analyze Traffic Use tcpdump tcpdump -i eth0 host and port 9999

88 Analyze Traffic (cont.) Use sniffit

89 Detect Sniffer

90 Detect Sniffer (cont.)

91 Find B4ckd00r (cont.) Find Suid R00t backdoor

92 Find B4ckd00r (cont.) Find by timestamp (mtime)

93 Find B4ckd00r (cont.) Find by timestamp (ctime)

94 Find B4ckd00r (cont.) Use string

95 Find B4ckd00r (cont.) Use md5check

96 Find B4ckd00r (cont.) Use /proc

97 Find B4ckd00r (cont.) Use library hook

98 Find B4ckd00r (cont.)

99 Find B4ckd00r (cont.) lsof What is lsof? Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It can also list communications open by each process.

100 Find B4ckd00r (cont.) Install

101 Find B4ckd00r (cont.) lsof grep daemon (daemon_active)

102 Find B4ckd00r (cont.) lsof grep daemon (daemon_passive)

103 Find B4ckd00r (cont.) chkrootkit What is chkrootkit? locally checks for signs of a rootkit.

104 Find B4ckd00r (cont.) Install

105 Find B4ckd00r (cont.)

106 Find B4ckd00r (cont.)

107 Find B4ckd00r (cont.)

108 Questions?

109 Reference The art of exploitation The Shellcoder s Handbook Adore lkm backdoor -- Wipe - Page - Tcpdump --

110 Reference (cont.) Cdrecord Vuln Ptrace/kmod Vuln - Samba Vuln - Mremap Vuln - Lsof project --

111 Reference (cont.) Nmap Nessus -- Iplog -- Chkrootkit -- John the Ripper password cracker -

112 Thanks!