Monday, March 6, 2006

SANS - Hacker Track

SANS Track 4 Notes, Comments

Day 1 – Incident Handling

Sample Incident forms are available @

Giac Practicals are available @

and contain good working examples

Protect Evidence – get the user away from the machine ASAP to keep the machine unchanged until you can image the drive. Keep the original stored in a safe place and maintain a chain of evidence.

Verify backup integrity to insure you are not restoring a compromised image.

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned

Keep up to date on privacy laws, European laws are radically different from US laws

IDS, depending on the vendor, maybe able to monitor encrypted VPN traffic
Always strive to raise security awareness with management

Honeynet – for training purposes it maybe useful to set up a vulnerable system to intentionally let it be compromised to develop the teams investigative skills.

Nice Trojan Port list

Organizations should create a list of most probable target systems to enhance monitoring efforts

Vulnerability/Exploit news

Develop an Evidence Elimination IDS Signature, i.e. somebody accessing a website or tool that is designed to clean their system.

Legal/Regulatory sites

DOJ Electronic Evidence Guide

Day 2 – Computer & Network Hacker Exploits

If viable get written permission for any activities not specifically authorized
Software Disto Attacks – always verify Checksums across multiple sites

Inside Company Info –

Robots.txt file contains information that companies don’t want you to see on the web. Instructs browsers not to look there.

When crawling a website always used a cached version on Google if available

THC Wardialer @

Every wireless encryption, including PEAP and LEAP, which rotate keys has been broken. There are many tools available for wireless sniffing and key cracking.

The only true way to secure a WAP, would be to point it to a VPN with strong authentication.

Honeypot WAP’s are a good way to catch hackers in the act. Also, there are tools to broadcast fake SSID’s to confuse hackers.

In Unix, you need to use the iwconfig command to configure wireless cards. Requires installing wireless extensions.

Cheops isn’t accurate and routinely will miss 40% of network hosts

Port 80 and Port 443 are very popular for hackers to hide traffic in, because of the sheer volume of traffic make detection near impossible.

For passive “scanning” try P0F

Firewalk will probe firewalls for open ports firewalk-0.99.1.tar.gz

Netscreen firewalls are considered one of the least statefull walls around, and allow SYN, FIN, and NO Flags to pass even if drop rules are in place.

Good idea to have a IDS Signature that will detect TTL tracerouting. Also, should block any ICMP error messages from leaving internal network.

90% of fragmented packets are estimated to be malicious. Some IPSEC VPN’s will create fragmented packets if not configured correctly. If feasible to business, consider dropping all fragmented packets at the firewall.

“Manager Think” – nothing bad has happened yet, so nothing probably will.

Day 3 – Computer & Network Hacker Exploits (continued)

It only takes 20-30 packets per minute to create a SYN Flood condition

If you’re on constantly seeing broadcast netbios traffic, it’s a good idea to verify domain or WINS configuration settings.

Sniffit has curses interface and will create inventory of sniffed connections and allow users to zoom in for more info on any particular traffic.

Dnsiff contains Tcpkill for RST DOS and Tcpnice, so slow down tcp connections. Slowing down the rate of traffic is a good way to limit a hacker without tipping him off you’ve detecting him.

Purdue website contains many useful tools

TTYSnoop good tool for hijacking somebody else’s unix session. Linux RPM

DNS Cache Poisoning, Do we have dragon sigs for this?

To hide your source IP via Netcat relay, good idea to use a named pipe(> mknod backpipe p)

Large numbers of NOP packets maybe a buffer overflow attack(NOP Sled)

Memory Alignment makes code more efficient by aligning bytes into a certain memory location. supposed to be a common framework for malware

Many buffer overflow defenses that monitor the stack have been beaten(Phrack 56)

Polymorphic exploits use XOR encryption to change the code’s appearance on the wire, see popular whitepaper on IDS Evasion techniques contains checksums to verify code

Good format strings paper

Intel Architecture stores numbers from right to left, so when feeding into the stack you need to feed backwards.

Day 4 – Computer & Network Hacker Exploits (continued)

Use Windows character map for easy Unicode Character conversions.

First MS fix for Unicode exploit can be beaten by double coding your directory transversal ..%252f..%252f..

Good idea to disable lanman hashes in the registry if backwards compatibility is not an issue

UNIX includes salt in there hashes to make them unique, where as password encrypted on a Windows system is the same on every windows system. Using a predefined list of encrypted passwords works well against windows

Check out extended modules for John like Crack S/Key and AFS/Kerberos
Once you have the admin password, use scheduler to get an interactive shell. If it’s not running use the net start command.

Check out pstools from

Good idea to have different AV software on the desktop, mail server, and file servers. Allows for different virus definitions to be used at the various levels, instead of putting your eggs in one basket.

When harvesting web accounts pay close attention to the error messages, like invalid account versus invalid password or account locked. Once you have a valid account it can be brute forced.

Regarding Input Validation Attacks, to bypass any client side filtering save the page to disk and remove the java checks or just use Achilles. Server side filtering is the only true protection.

Check out Mixter’s paper on DDOS

DDOS method of choice is a reflected attack which bounces your botnet attack layer off high bandwidth sites (google, ebay, etc) to your target.

Day 5 – Computer & Network Hacker Exploits (continued)

In the future, we may see CPU level(microcode) malware

If IIS is not loaded on the C drive, try using a tool like tini because it will automatically find cmd.exe
Setiri Trojan can bypass all firewalls and proxies by running an invisible browser on the target machine to communicate with the attacker.

Several good tools exist to hide Trojans in normal executables (SaranWrap, Elitewrape, Silk Rope)

Installing a root kit may require the Kernel source code

Many Rootkits will self delete if a special signal is received, like a network cable being unplugged, see Lysine Deficiency

Webgoat software teaches you to hack websites

Buggybank from Webmaven includes real website flaws for you to investigate

Good best practices site

Mount is an easy way to hide files. Simply create your file and mount another directory on top of it.

Time stamps can all be altered (touch,etc.), so they should not be trusted

StegFS will create a layered stego filesystem. Using multiple layers everything beyond the first layer will be undetectable.

Day 6 – Hacker Tools Workshop

Hack away …

No comments:

Post a Comment