Ethical Hacking Version 5 Module 24 Covert Hacking EC-Council Insider Attacks ¿ Insider attacks are attacks initiated from inside-out ¿ Inside-Out attacks try to initiate network connections from the trusted (corporate) to the untrusted (Internet) network ¿ These techniques are used to evade firewall filters Outsider Insider EC-Council What is Covert Channel? ¿A Covert channel is a mechanism for sending and receiving information data between machines without alerting any firewalls and IDS’s on the network ¿The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through Network Firewall Internet Attacker EC-Council Security Breach ¿ A covert channel has a security breach because it involves a trusted insider who is sending information to an unauthorized outsider in a covert fashion. ¿ For example, an employee wants to let an outsider know if his company won a big contract ¿ The two could come up with a scheme to communicate this information secretly EC-Council Why Do You Want to Use Covert Channel? ¿ Transfer a file from a Victim machine to a hacker machine ¿ Transfer a file from hacker machine to victim machine ¿ Launch applications at victim machine ¿ Interactive remote control access from hacker machine to victim machine ¿ Bypass any corporate filtered firewall rules ¿ Bypass corporate proxy server content filters EC-Council Motivation of a Firewall Bypass? • Surfing to filtered websites (e.g. www.certifiedhacker.com) • Listening Internet radio • Chatting to Internet friends • Administration of home webservers via SSH • Uploading and downloading of special files (EXE, ZIP) which are filtered by the corporate content filter policy • Using peer-to-peer techniques ¿ Who wants to bypass the firewall policy? • Advanced users from the internal network • Disgruntled employees • Hackers EC-Council Covert Channels Scope EC-Council Covert Channel: Attack Techniques 1. Implementing hacker-code within the optional fields of an internet- allowed protocol • DNS tunnel, ICMP tunnel 2. Tunneling hacker-payload within the request and response of an internet allowed protocol • HTTP tunnel, E-Mail tunnel 3. Running other protocols on the desired ports than normally assigned • For example running IRC on port 80 (http) 4. Misusing internet-allowed protocols • Proxy connect method EC-Council Simple Covert Attacks ¿ Simple covert attacks use direct channels to communicate to the Internet ¿ Direct Channels • ACK tunnel • TCP tunnel (pop, telnet, ssh) • UDP tunnel (syslog, snmp) • ICMP tunnel • IPSEC, PPTP EC-Council Simple Covert Attacks Network Firewall Internet Corporate Attacker . Ethical Hacking Version 5 Module 24 Covert Hacking EC-Council Insider Attacks ¿ Insider attacks are. PPTP EC-Council Simple Covert Attacks Network Firewall Internet Corporate Attacker EC-Council Advanced Covert Attacks ¿ Advanced covert attacks use proxified