Ethical hacking and countermeasures - phần 27 ppsx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.05 MB, 38 trang )
Ethical Hacking
Version 5
Module 24
Covert Hacking
EC-Council
Insider Attacks
¿ Insider attacks are attacks initiated from inside-out
¿ Inside-Out attacks try to initiate network connections from
the trusted (corporate) to the untrusted (Internet) network
¿ These techniques are used to evade firewall filters
Outsider
Insider
EC-Council
What is Covert Channel?
¿A Covert channel is a mechanism for sending and receiving
information data between machines without alerting any
firewalls and IDS’s on the network
¿The technique derives its stealthy nature by virtue of the
fact that it sends traffic through ports that most firewalls
will permit through
Network
Firewall
Internet
Attacker
EC-Council
Security Breach
¿ A covert channel has a security breach because it
involves a trusted insider who is sending information to
an unauthorized outsider in a covert fashion.
¿ For example, an employee wants to let an outsider
know if his company won a big contract
¿ The two could come up with a scheme to communicate
this information secretly
EC-Council
Why Do You Want to Use Covert Channel?
¿ Transfer a file from a Victim machine to a hacker
machine
¿ Transfer a file from hacker machine to victim machine
¿ Launch applications at victim machine
¿ Interactive remote control access from hacker machine to
victim machine
¿ Bypass any corporate filtered firewall rules
¿ Bypass corporate proxy server content filters
EC-Council
Motivation of a Firewall Bypass?
• Surfing to filtered websites (e.g. www.certifiedhacker.com)
• Listening Internet radio
• Chatting to Internet friends
• Administration of home webservers via SSH
• Uploading and downloading of special files (EXE, ZIP) which are
filtered by the corporate content filter policy
• Using peer-to-peer techniques
¿ Who wants to bypass the firewall policy?
• Advanced users from the internal network
• Disgruntled employees
• Hackers
EC-Council
Covert Channels Scope
EC-Council
Covert Channel: Attack Techniques
1. Implementing hacker-code within the optional fields of an internet-
allowed protocol
• DNS tunnel, ICMP tunnel
2. Tunneling hacker-payload within the request and response of an
internet allowed protocol
• HTTP tunnel, E-Mail tunnel
3. Running other protocols on the desired ports than normally
assigned
• For example running IRC on port 80 (http)
4. Misusing internet-allowed protocols
• Proxy connect method
EC-Council
Simple Covert Attacks
¿ Simple covert attacks use direct channels to
communicate to the Internet
¿ Direct Channels
• ACK tunnel
• TCP tunnel (pop, telnet, ssh)
• UDP tunnel (syslog, snmp)
• ICMP tunnel
• IPSEC, PPTP
EC-Council
Simple Covert Attacks
Network
Firewall
Internet
Corporate
Attacker
EC-Council
Advanced Covert Attacks
¿ Advanced covert attacks use proxified channels to
communicate on the Internet
¿ Proxified Channels
• Socks SSL tunnel
• HTTP/S tunnel (payload of http = tunnel)
• HTTP/S proxy CONNECT method tunnel
• DNS tunnel
• FTP tunnel
• Mail tunnel
EC-Council
Advanced Covert Attacks
Network
DMZ Proxy
Internet
Corporate
Attacker
LAN Proxy
EC-Council
Standard Direct Connection
Victim Server
Attacker
EC-Council
Reverse Shell (Reverse Telnet)
Victim Server
Attacker
EC-Council
Direct Attack Example
Buffer Overflow is an
example of direct attack
Web Server Request
Passed by the Firewall
Reverse Shell is
Established
Hacker controlled host
Internal
Network
EC-Council
In-Direct Attack Example
Port Blocked by
Firewall
INSIDER
Remote Control
Indirect Attack
Web Server Request
BLOCKED by the Firewall
Reverse Shell is
Established
Hacker controlled host
Internal
Network
EC-Council
Reverse Connecting Agents
¿ Reverse connecting agents can be installed by:
• E-Mail (Attachments, HTML social engineering)
• Downloaded from the Web
• CD-ROM Autostart program
• ZIP drives
• USB-Stick
• IPOD Drives
EC-Council
Covert Channel Attack Tools
¿ Netcat
¿ DNS tunnel
¿ SSH reverse tunnel
¿ HTTP/S tunnel
¿ HTTPS proxy CONNECT method
tunnel
¿ ICMP tunnel
EC-Council
Netcat
¿ Netcat is the most popular tool for reverse shell
exploits
¿ Widely used as payload in buffer overflows
EC-Council
DNS Tunneling
¿ The data is tunneled through DNS traffic
¿ How it works: The client does DNS lookups for a host in the delegated domain. If
the server wants to connect it responds with a 'key' IP address. The client then
starts a shell in a pipe and feeds the output of the shell (in the form of DNS
queries) to the server.
EC-Council
Covert Channel Using DNS Tunneling
Client
Server
Poll
Poll
Poll
Commands
Execute
Commands
Commands
1. POLL
2. GET FILE TO
CLIENT
3. PUT FILE TO
SERVER
4. EXECUTE
@CLIENT
5. EXIT CLIENT
EC-Council
DNS Tunnel Client
¿ The DNS Tunnel Client is a tool that uses DNS queries to build up
a tunnel to the DNS Tunnel Server which is located on the Internet
¿ When the tunnel is established successfully you have the capability
to remote control your computer over the web site of the DNS
Tunnel Server
EC-Council
DNS Tunneling Countermeasures
¿ Separate internal from external DNS
¿ Apply Firewall rule: Allow DNS from internal http
proxy servers only
¿ Apply Firewall rule: Deny all other DNS packets
EC-Council
Covert Channel Using SSH
¿ Assuming SSH is allowed by the Firewall, establish a SSH connection from inside-
out
¿ Use this connection to gain access to the internal systems
EC-Council
Covert Channel using SSH (Advanced)
¿Use SSL if proxy server is used internally and content filtering is enabled
