SANS Track 4 Notes, Comments
Day 1 – Incident Handling
Sample Incident forms are available @ http://www.sans.org/incidentforms/
Giac Practicals are available @ http://www.giac.org/GCIH.php
and contain good working examples
Protect Evidence – get the user away from the machine ASAP to keep the machine unchanged until you can image the drive. Keep the original stored in a safe place and maintain a chain of evidence.
Verify backup integrity to insure you are not restoring a compromised image.
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
Keep up to date on privacy laws, European laws are radically different from US laws
IDS, depending on the vendor, maybe able to monitor encrypted VPN traffic
Always strive to raise security awareness with management
Honeynet – for training purposes it maybe useful to set up a vulnerable system to intentionally let it be compromised to develop the teams investigative skills.
Nice Trojan Port list http://www.dark-e.com/archive/trojans/ports.shtml
Organizations should create a list of most probable target systems to enhance monitoring efforts
Vulnerability/Exploit news www.netsys.com
Develop an Evidence Elimination IDS Signature, i.e. somebody accessing a website or tool that is designed to clean their system.
Legal/Regulatory sites http://www.groklaw.com http://www.findlaw.com
DOJ Electronic Evidence Guide http://www.cybercrime.gov/s&smanual2002.htm
Day 2 – Computer & Network Hacker Exploits
If viable get written permission for any activities not specifically authorized
Software Disto Attacks – always verify Checksums across multiple sites
Inside Company Info – http://www.internalmemo.com
Robots.txt file contains information that companies don’t want you to see on the web. Instructs browsers not to look there. http://www.robotstxt.org
When crawling a website always used a cached version on Google if available
THC Wardialer @ http://www.thehackerschoice.com/releases.php
Every wireless encryption, including PEAP and LEAP, which rotate keys has been broken. There are many tools available for wireless sniffing and key cracking.
The only true way to secure a WAP, would be to point it to a VPN with strong authentication.
Honeypot WAP’s are a good way to catch hackers in the act. Also, there are tools to broadcast fake SSID’s to confuse hackers.
In Unix, you need to use the iwconfig command to configure wireless cards. Requires installing wireless extensions.
Cheops isn’t accurate and routinely will miss 40% of network hosts
Port 80 and Port 443 are very popular for hackers to hide traffic in, because of the sheer volume of traffic make detection near impossible.
For passive “scanning” try P0F http://www.stearns.org
Firewalk will probe firewalls for open ports firewalk-0.99.1.tar.gz
Netscreen firewalls are considered one of the least statefull walls around, and allow SYN, FIN, and NO Flags to pass even if drop rules are in place.
Good idea to have a IDS Signature that will detect TTL tracerouting. Also, should block any ICMP error messages from leaving internal network.
90% of fragmented packets are estimated to be malicious. Some IPSEC VPN’s will create fragmented packets if not configured correctly. If feasible to business, consider dropping all fragmented packets at the firewall.
“Manager Think” – nothing bad has happened yet, so nothing probably will.
Day 3 – Computer & Network Hacker Exploits (continued)
It only takes 20-30 packets per minute to create a SYN Flood condition
If you’re on constantly seeing broadcast netbios traffic, it’s a good idea to verify domain or WINS configuration settings.
Sniffit has curses interface and will create inventory of sniffed connections and allow users to zoom in for more info on any particular traffic.
Dnsiff contains Tcpkill for RST DOS and Tcpnice, so slow down tcp connections. Slowing down the rate of traffic is a good way to limit a hacker without tipping him off you’ve detecting him.
Purdue website contains many useful tools ftp://ftp.cerias.purdue.edu/pub/tools/
TTYSnoop good tool for hijacking somebody else’s unix session. Linux RPM
DNS Cache Poisoning, Do we have dragon sigs for this?
To hide your source IP via Netcat relay, good idea to use a named pipe(> mknod backpipe p)
Large numbers of NOP packets maybe a buffer overflow attack(NOP Sled)
Memory Alignment makes code more efficient by aligning bytes into a certain memory location.
www.metasploit.com supposed to be a common framework for malware
Many buffer overflow defenses that monitor the stack have been beaten(Phrack 56)
Polymorphic exploits use XOR encryption to change the code’s appearance on the wire, see popular whitepaper on IDS Evasion techniques
http://www.knowngoods.org/ contains checksums to verify code
Good format strings paper http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf
Intel Architecture stores numbers from right to left, so when feeding into the stack you need to feed backwards.
Day 4 – Computer & Network Hacker Exploits (continued)
Use Windows character map for easy Unicode Character conversions.
First MS fix for Unicode exploit can be beaten by double coding your directory transversal ..%252f..%252f..
Good idea to disable lanman hashes in the registry if backwards compatibility is not an issue
UNIX includes salt in there hashes to make them unique, where as password encrypted on a Windows system is the same on every windows system. Using a predefined list of encrypted passwords works well against windows
Check out extended modules for John like Crack S/Key and AFS/Kerberos
Once you have the admin password, use scheduler to get an interactive shell. If it’s not running use the net start command.
Check out pstools from www.sysinternals.com
Good idea to have different AV software on the desktop, mail server, and file servers. Allows for different virus definitions to be used at the various levels, instead of putting your eggs in one basket.
When harvesting web accounts pay close attention to the error messages, like invalid account versus invalid password or account locked. Once you have a valid account it can be brute forced.
Regarding Input Validation Attacks, to bypass any client side filtering save the page to disk and remove the java checks or just use Achilles. Server side filtering is the only true protection.
Check out Mixter’s paper on DDOS http://www.packetstormsecurity.com/distributed
DDOS method of choice is a reflected attack which bounces your botnet attack layer off high bandwidth sites (google, ebay, etc) to your target.
Day 5 – Computer & Network Hacker Exploits (continued)
In the future, we may see CPU level(microcode) malware
If IIS is not loaded on the C drive, try using a tool like tini because it will automatically find cmd.exe
Setiri Trojan can bypass all firewalls and proxies by running an invisible browser on the target machine to communicate with the attacker.
Several good tools exist to hide Trojans in normal executables (SaranWrap, Elitewrape, Silk Rope)
Installing a root kit may require the Kernel source code
Many Rootkits will self delete if a special signal is received, like a network cable being unplugged, see Lysine Deficiency
Webgoat software teaches you to hack websites
Buggybank from Webmaven includes real website flaws for you to investigate
Good best practices site http://www.cisecurity.org
Mount is an easy way to hide files. Simply create your file and mount another directory on top of it.
Time stamps can all be altered (touch,etc.), so they should not be trusted
StegFS will create a layered stego filesystem. Using multiple layers everything beyond the first layer will be undetectable.
Day 6 – Hacker Tools Workshop
Hack away …