DOCSLIB.ORG

Security Power Tools.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

www.dbebooks.com - Free Books & magazines SECURITY POWER TOOLS ® Other computer security resources from O’Reilly Related titles Security Warrior SSH, The Secure Shell: The Snort Cookbook™ Definitive Guide Practical Unix and Internet TCP/IP Network Security Administration Essential System Network Security Hacks™ Administration Security Books security.oreilly.com is a complete catalog of O’Reilly’s books on Resource Center security and related technologies, including sample chapters and code examples. oreillynet.com is the essential portal for developers interested in open and emerging technologies, including new platforms, pro- gramming languages, and operating systems. Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries. We specialize in document- ing the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit con- ferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. SECURITY POWER TOOLS ® Bryan Burns, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch, Dave Killion, Nicolas Beauchesne, Eric Moret, Julien Sobrier, Michael Lynn, Eric Markham, Chris Iezzoni, and Philippe Biondi Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Security Power Tools® by Bryan Burns, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch, Dave Killion, Nicolas Beauchesne, Eric Moret, Julien Sobrier, Michael Lynn, Eric Markham, Chris Iezzoni, and Philippe Biondi Copyright © 2007 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editors: Mike Loukides and Colleen Gorman Indexer: Lucie Haskins Production Editor: Mary Brady Cover Designer: Mike Kohnke Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Mary Brady Illustrators: Robert Romano and Jessamyn Read Printing History: August 2007:First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Security Power Tools, the image of a rotary hammer, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN-10: 0-596-00963-1 ISBN-13: 978-0-596-00963-2 [C] Table of Contents Foreword . xiii Credits . xvii Preface . xxi Part I Legal and Ethics 1. Legal and Ethics Issues . 3 1.1 Core Issues 4 1.2 Computer Trespass Laws: No “Hacking” Allowed 7 1.3 Reverse Engineering 13 1.4 Vulnerability Reporting 22 1.5 What to Do from Now On 26 Part II Reconnaissance 2. Network Scanning . 31 2.1 How Scanners Work 31 2.2 Superuser Privileges 33 2.3 Three Network Scanners to Consider 34 2.4 Host Discovery 34 2.5 Port Scanning 37 2.6 Specifying Custom Ports 39 2.7 Specifying Targets to Scan 40 2.8 Different Scan Types 42 v 2.9 Tuning the Scan Speed 45 2.10 Application Fingerprinting 49 2.11 Operating System Detection 49 2.12 Saving Nmap Output 51 2.13 Resuming Nmap Scans 51 2.14 Avoiding Detection 52 2.15 Conclusion 54 3. Vulnerability Scanning . 55 3.1 Nessus 55 3.2 Nikto 72 3.3 WebInspect 76 4. LAN Reconnaissance . 86 4.1 Mapping the LAN 87 4.2 Using ettercap and arpspoof on a Switched Network 88 4.3 Dealing with Static ARP Tables 92 4.4 Getting Information from the LAN 94 4.5 Manipulating Packet Data 98 5. Wireless Reconnaissance . 101 5.1 Get the Right Wardriving Gear 101 5.2 802.11 Network Basics 102 5.3 802.11 Frames 103 5.4 How Wireless Discovery Tools Work 105 5.5 Netstumbler 105 5.6 Kismet at a Glance 107 5.7 Using Kismet 110 5.8 Sorting the Kismet Network List 112 5.9 Using Network Groups with Kismet 112 5.10 Using Kismet to Find Networks by Probe Requests 113 5.11 Kismet GPS Support Using gpsd 113 5.12 Looking Closer at Traffic with Kismet 114 5.13 Capturing Packets and Decrypting Traffic with Kismet 116 5.14 Wireshark at a Glance 117 5.15 Using Wireshark 119 5.16 AirDefense Mobile 122 5.17 AirMagnet Analyzers 126 5.18 Other Wardriving Tools 129 vi Table of Contents 6. Custom Packet Generation . 130 6.1 Why Create Custom Packets? 130 6.2 Hping 132 6.3 Scapy 136 6.4 Packet-Crafting Examples with Scapy 163 6.5 Packet Mangling with Netfilter 183 6.6 References 189 Part III Penetration 7. Metasploit . 193 7.1 Metasploit Interfaces 194 7.2 Updating Metasploit 200 7.3 Choosing an Exploit 200 7.4 Choosing a Payload 202 7.5 Setting Options 206 7.6 Running an Exploit 209 7.7 Managing Sessions and Jobs 212 7.8 The Meterpreter 215 7.9 Security Device Evasion 219 7.10 Sample Evasion Output 220 7.11 Evasion Using NOPs and Encoders 221 7.12 In Conclusion 224 8. Wireless Penetration . 225 8.1 WEP and WPA Encryption 225 8.2 Aircrack 226 8.3 Installing Aircrack-ng 227 8.4 Running Aircrack-ng 229 8.5 Airpwn 231 8.6 Basic Airpwn Usage 231 8.7 Airpwn Configuration Files 235 8.8 Using Airpwn on WEP-Encrypted Networks 236 8.9 Scripting with Airpwn 237 8.10 Karma 238 8.11 Conclusion 241 Table of Contents vii 9. Exploitation Framework Applications . 242 9.1 Task Overview 242 9.2 Core Impact Overview 244 9.3 Network Reconnaissance with Core Impact 246 9.4 Core Impact Exploit Search Engine 247 9.5 Running an Exploit 249 9.6 Running Macros 250 9.7 Bouncing Off an Installed Agent 253 9.8 Enabling an Agent to Survive a Reboot 253 9.9 Mass Scale Exploitation 254 9.10 Writing Modules for Core Impact 255 9.11 The Canvas Exploit Framework 258 9.12 Porting Exploits Within Canvas 260 9.13 Using Canvas from the Command Line 261 9.14 Digging Deeper with Canvas 262 9.15 Advanced Exploitation with MOSDEF 262 9.16 Writing Exploits for Canvas 264 9.17 Exploiting Alternative Tools 267 10. Custom Exploitation . 268 10.1 Understanding Vulnerabilities 269 10.2 Analyzing Shellcode 275 10.3 Testing Shellcode 279 10.4 Creating Shellcode 285 10.5 Disguising Shellcode 302 10.6 Execution Flow Hijacking 306 10.7 References 320 Part IV Control 11. Backdoors . 323 11.1 Choosing a Backdoor 324 11.2 VNC 325 11.3 Creating and Packaging a VNC Backdoor 327 11.4 Connecting to and Removing the VNC Backdoor 332 11.5 Back Orifice 2000 334 11.6 Configuring a BO2k Server 335 11.7 Configuring a BO2k Client 340 viii Table of Contents 11.8 Adding New Servers to the BO2k Workspace 342 11.9 Using the BO2k Backdoor 343 11.10 BO2k Powertools 345 11.11 Encryption for BO2k Communications 355 11.12 Concealing the BO2k Protocol 356 11.13 Removing BO2k 358 11.14 A Few Unix Backdoors 359 12. Rootkits . 363 12.1 Windows Rootkit: Hacker Defender 363 12.2 Linux Rootkit: Adore-ng 366 12.3 Detecting Rootkits Techniques 368 12.4 Windows Rootkit Detectors 371 12.5 Linux Rootkit Detectors 376 12.6 Cleaning an Infected System 380 12.7 The Future of Rootkits 381 Part V Defense 13. Proactive Defense: Firewalls . 385 13.1 Firewall Basics 385 13.2 Network Address Translation 389 13.3 Securing BSD Systems with ipfw/natd 391 13.4 Securing GNU/Linux Systems with netfilter/iptables 401 13.5 Securing Windows Systems with Windows Firewall/Internet Connection Sharing 412 13.6 Verifying Your Coverage 417 14. Host Hardening . 421 14.1 Controlling Services 422 14.2 Turning Off What You Do Not Need 423 14.3 Limiting Access 424 14.4 Limiting Damage 430 14.5 Bastille Linux 436 14.6 SELinux 438 14.7 Password Cracking 444 14.8 Chrooting 448 14.9 Sandboxing with OS Virtualization 449 Table of Contents ix 15. Securing Communications . 455 15.1 The SSH-2 Protocol 456 15.2 SSH Configuration 459 15.3 SSH Authentication 465 15.4 SSH Shortcomings 471 15.5 SSH Troubleshooting 476 15.6 Remote File Access with SSH 480 15.7 SSH Advanced Use 483 15.8 Using SSH Under Windows 489 15.9 File and Email Signing and Encryption 494 15.10 GPG 495 15.11 Create Your GPG Keys 499 15.12 Encryption and Signature with GPG 507 15.13 PGP Versus GPG Compatibility 509 15.14 Encryption and Signature with S/MIME 510 15.15 Stunnel 513 15.16 Disk Encryption 520 15.17 Windows Filesystem Encryption with PGP Disk 521 15.18 Linux Filesystem Encryption with LUKS 522 15.19 Conclusion 524 16.
Recommended publications
  • Uila Supported Apps

    Uila Supported Apps

    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
  • La Sécurité Informatique Edition Livres Pour Tous (

    La Sécurité Informatique Edition Livres Pour Tous (

    La sécurité informatique Edition Livres pour tous (www.livrespourtous.com) PDF générés en utilisant l’atelier en source ouvert « mwlib ». Voir http://code.pediapress.com/ pour plus d’informations. PDF generated at: Sat, 13 Jul 2013 18:26:11 UTC Contenus Articles 1-Principes généraux 1 Sécurité de l'information 1 Sécurité des systèmes d'information 2 Insécurité du système d'information 12 Politique de sécurité du système d'information 17 Vulnérabilité (informatique) 21 Identité numérique (Internet) 24 2-Attaque, fraude, analyse et cryptanalyse 31 2.1-Application 32 Exploit (informatique) 32 Dépassement de tampon 34 Rétroingénierie 40 Shellcode 44 2.2-Réseau 47 Attaque de l'homme du milieu 47 Attaque de Mitnick 50 Attaque par rebond 54 Balayage de port 55 Attaque par déni de service 57 Empoisonnement du cache DNS 66 Pharming 69 Prise d'empreinte de la pile TCP/IP 70 Usurpation d'adresse IP 71 Wardriving 73 2.3-Système 74 Écran bleu de la mort 74 Fork bomb 82 2.4-Mot de passe 85 Attaque par dictionnaire 85 Attaque par force brute 87 2.5-Site web 90 Cross-site scripting 90 Défacement 93 2.6-Spam/Fishing 95 Bombardement Google 95 Fraude 4-1-9 99 Hameçonnage 102 2.7-Cloud Computing 106 Sécurité du cloud 106 3-Logiciel malveillant 114 Logiciel malveillant 114 Virus informatique 120 Ver informatique 125 Cheval de Troie (informatique) 129 Hacktool 131 Logiciel espion 132 Rootkit 134 Porte dérobée 145 Composeur (logiciel) 149 Charge utile 150 Fichier de test Eicar 151 Virus de boot 152 4-Concepts et mécanismes de sécurité 153 Authentification forte
  • The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual

    The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual

    The Samhain Host Integrity Monitoring System The Samhain Host Integrity Monitoring System This is version 2.4.3 of the Samhain manual. Copyright © 2002-2019 Rainer Wichmann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. This manual refers to version 4.4.0 of Samhain. Table of Contents 1. Introduction .............................................................................................................. 1 1. Backward compatibility ...................................................................................... 1 2. Compiling and installing ............................................................................................. 2 1. Overview ......................................................................................................... 2 2. Requirements .................................................................................................... 3 3. Download and extract ......................................................................................... 3 4. Configuring the source ......................................................................................
  • Cloaker: Hardware Supported Rootkit Concealment

    Cloaker: Hardware Supported Rootkit Concealment

    Cloaker: Hardware Supported Rootkit Concealment Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign 201 N Goodwin Ave, Urbana, IL 61801 {fdavid,emchan,jcarlyle,rhc}@uiuc.edu Abstract signers resorted to more complex techniques such as modi- fying boot sectors [33, 51] and manipulating the in-memory Rootkits are used by malicious attackers who desire to image of the kernel. These rootkits are susceptible to de- run software on a compromised machine without being de- tection by tools that check kernel code and data for alter- tected. They have become stealthier over the years as a ation [43, 13, 42, 21]. Rootkits that modify the system consequence of the ongoing struggle between attackers and BIOS or device firmware [25, 26] can also be detected by system defenders. In order to explore the next step in rootkit integrity checking tools. More recently, virtualization tech- evolution and to build strong defenses, we look at this issue nology has been studied as yet another means to conceal from the point of view of an attacker. We construct Cloaker, rootkits [31, 44]. These rootkits remain hidden by running a proof-of-concept rootkit for the ARM platform that is non- the host OS in a virtual machine environment. To counter persistent and only relies on hardware state modifications the threat from these Virtual Machine Based Rootkits (VM- for concealment and operation. A primary goal in the de- BRs), researchers have detailed approaches to detect if code sign of Cloaker is to not alter any part of the host oper- is executing inside a virtual machine [20].
  • A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools

    A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools

    International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-1, Issue-10, Dec-2013 A BRIEF STUDY AND COMPARISON OF, OPEN SOURCE INTRUSION DETECTION SYSTEM TOOLS 1SURYA BHAGAVAN AMBATI, 2DEEPTI VIDYARTHI 1,2Defence Institute of Advanced Technology (DU) Pune –411025 Email: [email protected], [email protected] Abstract - As the world becomes more connected to the cyber world, attackers and hackers are becoming increasingly sophisticated to penetrate computer systems and networks. Intrusion Detection System (IDS) plays a vital role in defending a network against intrusion. Many commercial IDSs are available in marketplace but with high cost. At the same time open source IDSs are also available with continuous support and upgradation from large user community. Each of these IDSs adopts a different approaches thus may target different applications. This paper provides a quick review of six Open Source IDS tools so that one can choose the appropriate Open Source IDS tool as per their organization requirements. Keywords - Intrusion Detection, Open Source IDS, Network Securit, HIDS, NIDS. I. INTRODUCTION concentrate on the activities in a host without considering the activities in the computer networks. Every day, intruders are invading countless homes On the other hand, NIDS put its focus on computer and organisations across the country via virus, networks without examining the hosts’ activities. worms, Trojans, DoS/DDoS attacks by inserting bits Intrusion Detection methodologies can be classified of malicious code. Intrusion detection system tools as Signature based detection, Anomaly based helps in protecting computer and network from a detection and Stateful Protocol analysis based numerous threats and attacks.
  • The Forseti Distributed File Integrity Checker

    The Forseti Distributed File Integrity Checker

    Cluster Security with NVisionCC: The Forseti Distributed File Integrity Checker Adam J. Lee†‡, Gregory A. Koenig†‡, and William Yurcik† †National Center for Supercomputing Applications ‡Department of Computer Science University of Illinois at Urbana-Champaign {adamlee, koenig, byurcik}@ncsa.uiuc.edu Abstract for a number of malicious actions. In many cases, the password used to log into a single node can be used Attackers who are able to compromise a single node to access a large number of nodes in the system, al- in a high performance computing cluster can use that lowing the attacker to utilize the vast computing and node as a launch point for a number of malicious ac- storage capabilities of the compromised cluster to carry tions. In many cases, the password used to log into out brute-force password cracking, launch distributed a single node can be used to access a large number of denial of service attacks, or serve illegal digital content. nodes in the system, allowing the attacker to utilize the Additionally, an attacker can listen to network traffic vast computing and storage capabilities of the compro- for other users to log into their compromised nodes in mised cluster to sniff network traffic, carry out brute- hopes of learning passwords for other accounts on these force password cracking, launch distributed denial of systems. service attacks, or serve illegal digital content. Often, The recent rise in popularity of grid computing has these types of attackers modify important system files exacerbated this problem by increasing the amount to collect passwords to other accounts, disable certain of damage that can be caused with a single compro- logging facilities, or create back-doors into the system.
  • I3FS: an In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University

    I3FS: an In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University

    I3FS: An In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University Appears in the proceedings of the 18th USENIX Large Installation System Administration Conference (LISA 2004) Abstract System administrators must stay alert to protect their systems against the effects of malicious intrusions. In Today, improving the security of computer systems this process, the administrators must first detect that an has become an important and difficult problem. Attack- intrusion has occurred and that the system is in an in- ers can seriously damage the integrity of systems. At- consistent state. Second, they have to investigate the tack detection is complex and time-consuming for sys- damage done by attackers, like data deletion, adding in- tem administrators, and it is becoming more so. Current secure Trojan programs, etc. Finally, they have to fix integrity checkers and IDSs operate as user-mode utili- the vulnerabilities to avoid future attacks. These steps ties and they primarily perform scheduled checks. Such are often too difficult and hence machines are mostly re- systems are less effective in detecting attacks that hap- installed and then reconfigured. Our work does not aim pen between scheduled checks. These user tools can be at preventing malicious intrusions, but offers a method easily compromised if an attacker breaks into the sys- of notifying administrators and restricting access once tem with administrator privileges. Moreover, these tools an intrusion has happened, so as to minimize the effects result in significant performance degradation during the of attacks. Our system uses integrity checking to detect checks.
  • SM User Guide

    SM User Guide

    Oracle® Communications Tekelec Virtual Operating Environment Licensing Information User Manual Release 3.5 E93070-01 November 2017 Copyright ©2010, 2017 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
  • How Attackers Break Programs, and How to Write Programs More Securely

    How Attackers Break Programs, and How to Write Programs More Securely

    How Attackers Break Programs, and How To Write Programs More Securely Matt Bishop Department of Computer Science University of California at Davis Davis, CA 95616-8562 United States of America email: [email protected] www: http://seclab.cs.ucdavis.edu/~bishop phone: +1 (530) 752-8060 © 2002 by Matt Bishop This page deliberately left blank. That is, this page would have been blank except that we had to put the notice "this page deliberately left blank" on it. Otherwise, you might have seen the blank page and worried that someone left a page out of your booklets. So, we put a note on the blank page to assure you that no-one forgot to put something on this page; indeed, we intended for it to be blank. But we could not live up to our intentions, for the reason stated above, so we couldn't put a blank page in here. We had to put a page with some writing on it. So we couldn't put the notice "this page deliberately left blank" because it's not true and, if we couldn't tell when a page is blank, you'd doubt the veracity of everything we did. So we wrote this paragraph to ... oh, heck, forget it. Table of Contents sections slides Overview..................................... 1— 13 Attacking Programs ........................... 14—123 Overview .......................14 — 20 Users and Privilege ...............21 — 29 Environment ....................30 — 48 Buffer Overflow ..................49 — 70 Numeric Overflow ................71 — 76 Validation and Verification .........77 — 92 Race Conditions..................93—112 Denial of Service ............... 113—121 Environment .................. 122—123 Writing Better Programs ......................124—379 Overview ....................
  • A Toolkit for Detecting and Analyzing Malicious Software

    A Toolkit for Detecting and Analyzing Malicious Software

    A Toolkit for Detecting and Analyzing Malicious Software Michael Weber, Matthew Schmid & Michael Schatz David Geyer Cigital, Inc. [email protected] Dulles, VA 20166 g fmweber, mschmid, mschatz @cigital.com Abstract the virus or Trojan horse performs malicious actions unbe- knownst to the user. These programs often propagate while In this paper we present PEAT: The Portable Executable attached to games or other enticing executables. Analysis Toolkit. It is a software prototype designed to pro- Malicious programmers have demonstrated their cre- vide a selection of tools that an analyst may use in order ativity by developing a great number of techniques through to examine structural aspects of a Windows Portable Ex- which malware can be attached to a benign host. Several ecutable (PE) file, with the goal of determining whether insertion methods are common, including appending new malicious code has been inserted into an application af- sections to an executable, appending the malicious code ter compilation. These tools rely on structural features of to the last section of the host, or finding an unused region executables that are likely to indicate the presence of in- of bytes within the host and writing the malicious content serted malicious code. The underlying premise is that typi- there. A less elegant but effective insertion method is to cal application programs are compiled into one binary, ho- simply overwrite parts of the host application. mogeneous from beginning to end with respect to certain Given the myriad ways malicious software can attach to structural features; any disruption of this homogeneity is a benign host it is often a time-consuming process to even a strong indicator that the binary has been tampered with.
  • Classifying Application Flows and Intrusion Detection in Internet Traffic

    Classifying Application Flows and Intrusion Detection in Internet Traffic

    THÈSE Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ DE GRENOBLE Spécialité : Informatique Arrêté ministérial : 7 août 2006 Présentée par Maciej KORCZYNSKI´ Thèse dirigée par Andrzej Duda préparée au sein de UMR 5217 - LIG - Laboratoire d’Informatique de Grenoble et de École Doctorale Mathématiques, Sciences et Technologies de l’Information, Informatique (EDMSTII) Classifying Application Flows and Intrusion Detection in Internet Traffic Thèse soutenue publiquement le 26 Novembre 2012, devant le jury composé de : Mr Jean-Marc Thiriet Professeur, Université Joseph Fourier, Président Mr Philippe Owezarski Chargé de recherche au CNRS, Université de Toulouse, Rapporteur Mr Guillaume Urvoy-Keller Professeur, Université de Nice, Rapporteur Mr Andrzej Pach Professeur, AGH University of Science and Technology, Examinateur Mr Andrzej Duda Professeur, Grenoble INP - ENSIMAG, Directeur de thèse iii Acknowledgments I would like to thank most especially my supervisor and mentor Prof. Andrzej Duda. You taught me a great deal about how to do research. Thank you for your trust and freedom in exploring different research directions. I would like to express my gratitude for your contributions to this work including sleepless nights before deadlines and your invaluable support in my future projects. I am also very grateful to Dr. Lucjan Janowski and Dr. Georgios Androulidakis for your guidance, patience, and encouragement at the early stage of my research. Thanks for all that I have learnt from you. I would like to thank Marcin Jakubowski for sharing your network administrator experience and packet traces without which this research would not have been possible. I am also thankful to my friends from the Drakkar team, especially to Bogdan, Ana, Isa, Nazim, Michal, my office mates Carina, Maru, Mustapha, and Martin as well as my friends from other teams, especially to Sofia, Azzeddine, and Reinaldo for sharing the ”legendary” and the more difficult moments of PhD students life.
  • An Analysis of Instant Messaging and E- Mail Access Protocol Behavior in Wireless Environment

    An Analysis of Instant Messaging and E- Mail Access Protocol Behavior in Wireless Environment

    An Analysis of Instant Messaging and E- mail Access Protocol Behavior in Wireless Environment IIP Mixture Project Simone Leggio Tuomas Kulve Oriana Riva Jarno Saarto Markku Kojo March 26, 2004 University of Helsinki - Department of Computer Science i TABLE OF CONTENTS 1 Introduction ..................................................................................................................................... 1 PART I: BACKGROUND AND PROTOCOL ANALYSIS ............................................................. 1 2 Instant Messaging............................................................................................................................ 1 3 ICQ.................................................................................................................................................. 3 3.1 Overview ................................................................................................................................. 3 3.2 Protocol Operation .................................................................................................................. 4 3.2.1 Client to Server................................................................................................................4 3.2.2 Client to Client ................................................................................................................5 3.2.3 Normal Operation............................................................................................................ 5 3.2.4 Abnormal Operation.......................................................................................................