Ethical Hacking Version 5 Module 24 Covert Hacking EC-Council Insider Attacks ¿ Insider attacks are attacks initiated from inside-out ¿ Inside-Out attacks try to initiate network connections from the trusted (corporate) to the untrusted (Internet) network ¿ These techniques are used to evade firewall filters Outsider Insider EC-Council What is Covert Channel? ¿A Covert channel is a mechanism for sending and receiving information data between machines without alerting any firewalls and IDS’s on the network ¿The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through Network Firewall Internet Attacker EC-Council Security Breach ¿ A covert channel has a security breach because it involves a trusted insider who is sending information to an unauthorized outsider in a covert fashion. ¿ For example, an employee wants to let an outsider know if his company won a big contract ¿ The two could come up with a scheme to communicate this information secretly EC-Council Why Do You Want to Use Covert Channel? ¿ Transfer a file from a Victim machine to a hacker machine ¿ Transfer a file from hacker machine to victim machine ¿ Launch applications at victim machine ¿ Interactive remote control access from hacker machine to victim machine ¿ Bypass any corporate filtered firewall rules ¿ Bypass corporate proxy server content filters EC-Council Motivation of a Firewall Bypass? • Surfing to filtered websites (e.g. www.certifiedhacker.com) • Listening Internet radio • Chatting to Internet friends • Administration of home webservers via SSH • Uploading and downloading of special files (EXE, ZIP) which are filtered by the corporate content filter policy • Using peer-to-peer techniques ¿ Who wants to bypass the firewall policy? • Advanced users from the internal network • Disgruntled employees • Hackers EC-Council Covert Channels Scope EC-Council Covert Channel: Attack Techniques 1. Implementing hacker-code within the optional fields of an internet- allowed protocol • DNS tunnel, ICMP tunnel 2. Tunneling hacker-payload within the request and response of an internet allowed protocol • HTTP tunnel, E-Mail tunnel 3. Running other protocols on the desired ports than normally assigned • For example running IRC on port 80 (http) 4. Misusing internet-allowed protocols • Proxy connect method EC-Council Simple Covert Attacks ¿ Simple covert attacks use direct channels to communicate to the Internet ¿ Direct Channels • ACK tunnel • TCP tunnel (pop, telnet, ssh) • UDP tunnel (syslog, snmp) • ICMP tunnel • IPSEC, PPTP EC-Council Simple Covert Attacks Network Firewall Internet Corporate Attacker [...]... Receiver's machine sniffs the packet and extracts the data, the OS sends a RST to public server ¿ This process is repeated until all data is sent ¿ EC-Council Ncovert2 - How it works - Part 1 1 Sender and receiver agree on shared secret, turned into SHA-1 2 Sender generates random session key and creates IPID and source port from SHA-1 and session key 3 Sender XORs file size and session key to create ISN... and source port file size in ISN 5 Receiver sniffs for packet for destination address with destination port 80 6 Receiver extracts session key from IPID and source port using SHA1 hash 7 Receiver extracts file size from ISN using session key 8 Sender and receiver generate session hash from session key and SHA-1 password hash for creating predictable source ports EC-Council Ncovert2 - How it works -. .. with previous ISN and session hash to create new ISN, creates a packet with a random IP ID, the “predictable” source port, and new ISN, and sends the packet Sender also sends decoy packets as well Destination ports on legit and decoy packets randomly use 1-6 5535, repeating as needed Receiver sniffs packets, ignores packets without “predictable” destination ports, uses previous ISN and session hash to... over HTTP) EC-Council Covert Channel Hacking Tool: Web Shell ¿ "Web Shell" is a remote UNIX/WIN shell, that tunnels packets via HTTP/HTTPS ¿ The client component provides shell-like prompt, encapsulating user commands into HTTP POST requests and sending them to the server part script on the target web server directly or via HTTP proxy server ¿ The server part extracts and executes commands from HTTP... directly or via HTTP proxy server ¿ The server part extracts and executes commands from HTTP post requests and returns STDOUT and STDERR output as HTTP response messages • SSL support • Command line history support • File upload/download EC-Council Covert Channel Hacking Tool: NCovert ¿ Ncovert is an open-sourced program designed to function as a TCP covert channel ¿ It is a file transfer system that uses... with a 'key' IP address The client then starts a shell in a pipe and feeds the output of the shell (in the form of DNS queries) to the server EC-Council Covert Channel Using DNS Tunneling Commands Server Client Poll 1 POLL 2 GET FILE TO CLIENT 3 PUT FILE TO SERVER 4 EXECUTE @CLIENT 5 EXIT CLIENT Poll Poll Commands Execute Commands EC-Council DNS Tunnel Client ¿ The DNS Tunnel Client is a tool that... external server • EC-Council Establish an external server shell from within the internal network Establish a TCP/UDP/HTTP CONNECT | POST channel allowing TCP data streams (ssh, smtp, pop, etc ) between an external server and a box from within the internal network Covert Channel Hacking Tool: Firepass ¿ ¿ EC-Council Firepass - is a tunneling tool, allowing to bypass firewall restrictions and encapsulate... Firewall EC-Council In-Direct Attack Example INSIDER Remote Control Indirect Attack Reverse Shell is Established Hacker controlled host Internal Network Port Blocked by Web Server Request Firewall BLOCKED by the Firewall EC-Council Reverse Connecting Agents ¿ Reverse connecting agents can be installed by: • • • • • • EC-Council E-Mail (Attachments, HTML social engineering) Downloaded from the Web CD-ROM... addresses can be changed to something “random”, including decoy packets Transmission should look like a TCP ping to port 80 followed by a full port scan, with random source addresses EC-Council Covert Channel Hacking via Spam E-mail Messages ¿ Covert channel communication via spam messages is difficult to detect because of the means of delivery ¿ By using keyword or phrase- based communication with the back... Server EC-Council DNS Tunneling Countermeasures ¿ ¿ ¿ EC-Council Separate internal from external DNS Apply Firewall rule: Allow DNS from internal http proxy servers only Apply Firewall rule: Deny all other DNS packets Covert Channel Using SSH ¿ Assuming SSH is allowed by the Firewall, establish a SSH connection from inside- out ¿ Use this connection to gain access to the internal systems EC-Council . Ethical Hacking Version 5 Module 24 Covert Hacking EC-Council Insider Attacks ¿ Insider attacks are attacks initiated from inside-out ¿ Inside-Out attacks try to initiate. Disgruntled employees • Hackers EC-Council Covert Channels Scope EC-Council Covert Channel: Attack Techniques 1. Implementing hacker-code within the optional fields of an internet- allowed protocol • DNS. tunnel • Mail tunnel EC-Council Advanced Covert Attacks Network DMZ Proxy Internet Corporate Attacker LAN Proxy EC-Council Standard Direct Connection Victim Server Attacker EC-Council Reverse Shell