Case study: Windows break-in

Download Report

Transcript Case study: Windows break-in 

Cosc 4765
Windows Forensics Techniques
A case study
• First this lecture should not be confused with
Computer Forensics for criminal prosecution.
– That involves chain of custody and that the system
has “unchanged” data for evidence in a trial.
• We’ll look identifying and detection techniques
and tools
– using a windows environment for a fake company.
Fake company
• We’ll use a web hosting company as a bases for
the study.
– It has a large number of Windows servers
– Each has 2 NICs
• 1 has an inside private ip 10.10.X.X
• 1 has an outside public ip
– All inside traffic is via ssh, while outside traffic is via
http (and https), using apache (not IIS).
– And there is a firewall preventing outside to inside
access. boxes can only be accessed from the
internet via the outside ip address.
Our Network Toolbox
• For networking tools to detect potential incidents
– WireShark, Windump (tcpdump for windows)
• We can capture and graphically inspect network traffic
– EtherApe
• It builds a “talkers map” for a network segment
• Allows to characterize normal traffic
– tcpreplay
• We can replay captured traffic and control the speed.
– Snort
• Free IDS, using a gui frontend like base for easy to viewing the
traffic.
– MRTG
• Or something like it, can show you a traffic graph of your network
– Fscan, nmapwin (nmap for windows)
• port scanners to determine open ports.
Potential incidents
• First, there is a general assumption
– YOU ALREADY KNOW WHAT NORMAL
TRAFFIC IS FOR “FAKE COMPANY”.
– Why is this important?
– What would we expect to be normal traffic for
this company?
Potential incidents (2)
• So first we think there is “Abnormal traffic”
on the network.
– maybe from Snort or other network monitoring
software.
• Could just be “gee, the response time is slow
today”.
– We run wireshark and get the following
• Traffic from an outside ip to an inside ip
– That’s a problem!
– Time to check that computer.
Our Windows ToolBox
• A cdrom containing copies of programs we
are using.
– A cdrom is best, since it can not be
compromised by an infected system.
– From a windows system:
• at.exe, cmd.exe, dir.exe, ifconfig.exe, nbstat.exe
net.exe, nestate.exe, nslookup.exe, route.exe,
tracert.exe, hostname.exe
Our Windows ToolBox (2)
• From Foundstone.com and other places
– fport.exe
• Reports all open TCP/IP and UDP ports and maps them to the
owning application.
– Could use netstat –an, but fport maps to the owning application,
so it’s better.
– pslist.exe
• list process on the cmd line
– psservices.exe
• associates services with process ids
– psfile.exe
• similar to lsof, list open files by applications
– psloggedon.exe
• associates users with running processes
– listdlls.exe
• lists which DLL file are being used by running processes.
What to look for?
• unusual processes
– pslist, psinfo, psfile
• process owners
– psloggedon
• unusual listening
ports
• examine route tables
– netstat, fport,
psservice
• temp files, suspicious
folders
• unusual open files
– psfile, listdlls, fport
• logged in users
– psloggedon, nbstat
– netstat, route
– dir, type, explorer
Using the tools
• e:\hostname (assume e: is the cdrom)
– winbox.private.com
• e:\net session
–
–
–
–
–
–
Computer User name Client Type Opens Idle time
---------------------------------------------------------------\\TGT1 ADMINISTRATOR 0 00:00:27
\\TGT2 ADMINISTRATOR 0 00:00:15
This is very bad!
\\TGT3 ADMINISTRATOR 0 00:00:23
The are 4 file
shares connected
\\TGT4 ADMINISTRATOR 0 00:00:05
to this machine
Using the tools (2)
• E:\Fport.exe
Fport v2.0 - TCP/IP Process to Port Mapper Copyright 200 by
Foundstone, Inc http://www.foundstone.com
Pid Process Port Proto Path
420 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 445 TCP
888 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1027 TCP
8 System -> 445 UDP
430 svchost -> 80 TCP C:\Program Files\Apache\httpd.exe
1625 servu -> 3215 TCP C:\Client_Data\Inetpub\_vti-bin\ \servu.exe
We running apache web servers, but there is something
running out of what looks like a IIS directory!
Hidden
Directory
Using the tools (3)
• e:\dir /s /a c:\Client_Data\Inetpub\_vti-bin\”
“\ /p
– recursively listing the hidden directory
net use F \\tgt1\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass
net use G \\tgt2\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass
net use H \\tgt3\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass
net use I \\tgt4\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass
• So now there are at least 4 more system involved with administrator privileges
• Looking at those, we find the it’s an ftp server, with config’s and a batch file to
launch the server.
A note
• This hasn’t identified the entry point
• We don’t know how they broke in
– could be bad administrator passwords
– could an unpatched windows system
– virus/worm
– or simply a targeted attacked against fake
company that succeeded.
Clean Up
• That’s the hard part
– If we decide not to reinstall the machine
– Must check the registry, new local accounts,
services
• such as, how does the system mount those
directories?
– We’ll need to stop that!
– Scan and remove any viruses/worms/trojan
horses/back doors.
• Once an attacker gets in, they will work very hard
to stay there.
Clean Up (2)
• Besides cleaning up the systems
• Fix the firewall
– If we are allowing clients to connect to specific ports,
then should enforce that on the firewall
– Open internet ports
• 80 (http), 443 (https), Maybe port 25 for e-mail
– Close output ports as well.
• harder: because of browsing, patch management, and an
other issues, but it can be done normally by trial and error.
– Add Vlan if possible to block more traffic
Clean Up (3)
• add an IDS system
– make sure it has rules that “enforce” policies
– It will then tell us when traffic is going to the
wrong ports.
– outside to inside ip connections
• Attackers may still succeed, but we will know about
it quicker.
Lastly
• The idea here to quickly find and repair the
problem.
– Have you toolbox ready, KNOW how to use
the programs, And always know what
“normal” is.
• We can never be 100% secure and it’s not
if we get hacked, it's WHEN we get
hacked.
Q&A
References
• http://www.securityfocus.com/infocus/1653
/
• http://www.securityfocus.com/infocus/1672
/
• http://www.foundstone.com/