Enterprise Intrusion Analysis

Student Guide

SC375_REVA

D62034GC10 Edition 1.0 D63867 Copyright © 2006, 2009, Oracle and/or its affiliates. All rights reserved.

Disclaimer

This document contains proprietary information, is provided under a license agreement containing restrictions on use and disclosure, and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except as expressly permitted in your license agreement or allowed by law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.

The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free.

Sun Microsystems, Inc. Disclaimer

This training manual may include references to materials, offerings, or products that were previously offered by Sun Microsystems, Inc. Certain materials, offerings, services, or products may no longer be offered or provided.Oracle and its affiliates cannot be held responsible for any such references should they appear in the text provided.

Restricted Rights Notice If this documentation is delivered to the U.S. Government or anyone using the documentation on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. is a registered trademark licensed through X/Open Company, Ltd. This page intentionally left blank. This page intentionally left blank. Table of Contents

About This Course ...... i Course Goals...... i Course Map...... ii Topics Not Covered...... iii How Prepared Are You?...... iv Introductions...... v How to Use the Course Materials...... vi Conventions...... vii Icons...... vii Typographical Conventions...... viii

Introducing Enterprise Intrusion Analysis...... 1-1 Objectives...... 1-1 Additional Resources...... 1-2 Introducing Enterprise Intrusion Analysis...... 1-3 Identifying Attacker Methodology...... 1-4 Outsider Attacker Methodology...... 1-4 Insider Attacker Methodology...... 1-6 Identifying Investigator Methodology...... 1-7 Module Summary...... 1-8

Enterprise Footprinting...... 2-1 Objectives...... 2-1 Additional Resources...... 2-2 Introducing Enterprise Footprinting ...... 2-3 Least Disclosure and Privilege ...... 2-3 Revealing Technical Engineering Methods...... 2-4 Finding Systems - Active Footprinting...... 2-4 Domain Name Service – DNS Queries ...... 2-5 Domain Name Service – DNS Zone Transfers ...... 2-6 Internet Control Messaging Protocol – Single ping Requests ...... 2-8 Internet Control Messaging Protocol – Broadcast ping Requests...... 2-8 Discovering Open Ports and Services – Using telnet...... 2-9 Finding Systems – Passive Footprinting ...... 2-11 Domain Registrar Queries...... 2-11 Google Search Engine Queries ...... 2-13 Discovering Remote and Vulnerable Services ...... 2-16 Banner Enumeration...... 2-16 TCP/UDP Port Scanning...... 2-17 Finding User Accounts ...... 2-21

Introducing Enterprise Intrusion Analysis i Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A SC 375 - Enterprise Intrusion Analysis for Investigators

Querying the sendmail daemon...... 2-21 Querying Remote Account Information Services...... 2-22 Brute Force Log-in Attempts...... 2-23 Revealing Social Engineering Methods...... 2-25 Exploiting the People Factor – Conning ...... 2-25 Appearance...... 2-25 Credibility...... 2-26 Distraction...... 2-26 Helpful Desires...... 2-26 Reactance...... 2-27 Fear...... 2-27 Exploiting the Proximity Factor...... 2-28 Dumpster Diving...... 2-28 Cell Phone Camera...... 2-29 Other Social Engineering Proximity Attacks...... 2-29 Module Summary...... 2-30 Exercise: Performing System Fingerprinting ...... 2-31 Preparation...... 2-31 Task 1 – Using DNS and ICMP to Identify Target Systems...... 2-31 Task 2 – Using nmap and amap...... 2-33 Task 3 – Discovering User Accounts...... 2-35 Exercise Summary...... 2-37 Exercise Solutions...... 2-38 Task 1 – Using DNS and ICMP to Identify Target Systems...... 2-38 Task 2 – Using nmap and amap...... 2-39 Task 3 – Discovering User Accounts...... 2-41

Obtaining Shell Access and Escalating Privileges...... 3-1 Objectives...... 3-1 Additional Resources...... 3-2 Defining Shell Access and Privilege Escalation...... 3-3 Identifying Programming and Software Flaws ...... 3-4 Revealing and Exploiting Vulnerabilities...... 3-5 How Researchers Reveal Flaws...... 3-5 How Attackers Exploit Flaws...... 3-6 Defining a Buffer Overflow...... 3-8 Remote Buffer Overflow...... 3-8 Using a Remote Buffer Overflow...... 3-11 Finding Exploit Code...... 3-11 Examining the Exploit Code...... 3-13 Compiling the Exploit Code...... 3-15 Launching the Exploit...... 3-15 Examining a Local Buffer Overflow...... 3-17 Launching the Exploit...... 3-17 Defining a Trojan Horse...... 3-19

ii SC 375 - Enterprise Intrusion Analysis Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A Introducing Enterprise Intrusion Analysis

Accessing the root Account...... 3-19 Examining a Trojan Horse...... 3-20 Creating a Trojan Horse...... 3-20 Module Summary...... 3-23

Acquiring root Access ...... 4-1 Objectives...... 4-1 Additional Resources...... 4-2 Acquiring root Access...... 4-3 Introducing Backdoors...... 4-4 Exploring the Different Types of Backdoors...... 4-5 The Alternate root Account...... 4-5 The Set ID Shell Backdoor...... 4-8 The SUID Permission...... 4-8 Operation of a SUID Shell Backdoor ...... 4-10 Bound Shell Backdoor...... 4-11 Reviewing Port Numbers...... 4-11 Reviewing the inetd Super Server...... 4-13 Creating a Bound Shell Backdoor ...... 4-14 The Trusted Hosts Vulnerability...... 4-16 Configuration of the .rhosts Files...... 4-17 .rhosts File Format...... 4-17 Trusted root Account...... 4-18 Introducing ...... 4-20 File System Rootkits...... 4-20 Examining a ...... 4-22 Rootkit Installation Scripts...... 4-22 Replacement System Service Daemons...... 4-22 Replacement Shell Commands That Hide Rootkit Presence and Activity...... 4-22 Replacement /usr/bin/login Executables...... 4-23 Internet Relay Chat Programs for Illicit Communication...... 4-24 Using Rootkits...... 4-25 Introducing Kernel Rootkits...... 4-27 Kernel Rootkit Design ...... 4-29 Examining a Kernel Rootkit – Sebek...... 4-31 Using a Kernel Rootkit...... 4-32 Interpreting the Data...... 4-33 Module Summary...... 4-35 Exercise: Securing root Access ...... 4-36 Preparation...... 4-36 Task 1 – Installing a Bind Shell Backdoor...... 4-37 Task 2 – Using Rootkit Utilities to Hide Files...... 4-39 Exercise Summary...... 4-42 Exercise Solutions...... 4-43 Task 1 – Installing a Bind Shell Backdoor...... 4-43

Introducing Enterprise Intrusion Analysis iii Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A SC 375 - Enterprise Intrusion Analysis for Investigators

Task 2 – Using Rootkit Utilities to Hide Files...... 4-43

Encrypting and Obscuring Data...... 5-1 Objectives...... 5-1 Additional Resources...... 5-2 Reviewing Encryption Technology...... 5-3 Encryption Key Cryptography...... 5-4 Symmetric Key Encryption...... 5-4 Asymmetric Key Encryption...... 5-6 Hiding Malicious Data...... 5-7 Encrypting Malicious Data...... 5-8 Using the OpenSSL Utility...... 5-8 Encrypting a File...... 5-8 Decrypting a File...... 5-10 Using the GPG Utility...... 5-10 Encrypting Files...... 5-11 Introducing Digital Steganography...... 5-14 Steganography Methods...... 5-15 Insertion...... 5-15 Substitution...... 5-15 Using Digital Steganography...... 5-15 Steganography Tools...... 5-16 Hiding a File by Using Stego Utilities...... 5-17 Steganography Weakness...... 5-18 Introducing Anti-Forensics ...... 5-19 Reviewing File Systems ...... 5-19 Anti-Forensic Methods...... 5-22 Metadata Anti-Forensics...... 5-22 Hiding Files in Metadata...... 5-22 Using the bootblock Metadata...... 5-23 Using the Backup superblock Metadata...... 5-25 Introducing Loopback Device Anti-Forensics ...... 5-27 Using the Loopback Device...... 5-28 Extended Attribute Anti-Forensics...... 5-32 Using Extended Attributes ...... 5-33 Module Summary...... 5-35 Exercise: Hiding Malicious Data...... 5-36 Preparation...... 5-36 Task 1 – Using GPG to Encrypt Files...... 5-37 Task 2 - Hiding Files by Using Steganography...... 5-40 Task 3 – Hiding Files in bootblock Metadata...... 5-43 Exercise Summary...... 5-45

Enterprise Log Analysis...... 6-1 Objectives...... 6-1

iv SC 375 - Enterprise Intrusion Analysis Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A Introducing Enterprise Intrusion Analysis

Additional Resources...... 6-2 Introducing Enterprise Log Analysis...... 6-3 Enterprise Log File Information...... 6-3 Enterprise Log File Formats...... 6-4 Reviewing Intrusion Access Points and Perimeters...... 6-5 Describing the Perimeter...... 6-5 Border Router...... 6-5 Intrusion Detection Sensor ...... 6-5 Firewall...... 6-6 Describing the DMZ...... 6-6 Describing the Internal Network ...... 6-7 Introducing Enterprise Service Log Files...... 6-9 Reading Perimeter Logs...... 6-9 Cisco Router ACL Logs...... 6-10 Cisco PIX™ Firewall Logs...... 6-12 IPtables Firewall Log...... 6-13 SolarisTM IPFilter Firewall Log...... 6-15 Snort Intrusion Detection Log...... 6-16 Reading DMZ Logs...... 6-17 Apache Web Server Logs...... 6-18 RFC 2821 SMTP Logs ...... 6-20 Reading Internal Network Logs...... 6-22 Samba File Sharing Logs...... 6-23 Squid Web Proxy Logs...... 6-25 Reading Local System Logs...... 6-27 Syslog System Error Logs...... 6-28 System Core Files...... 6-29 Shell History Logs...... 6-30 Analyzing a Buffer Overflow Intrusion – Case Study...... 6-31 Examining the Firewall Log...... 6-31 Summarizing the Firewall Log...... 6-37 Examining the Snort Log...... 6-38 Examining the messages File...... 6-39 Examining Core Files...... 6-40 Case Study Summary...... 6-41 Analyzing a Web Server Intrusion – Case Study...... 6-42 Examining the Snort Log...... 6-42 Examining the Apache Access Log...... 6-45 Examining the Sendmail Mail Log ...... 6-48 Case Study Summary...... 6-49 Module Summary...... 6-50 Exercise: Analyzing Enterprise Log Files...... 6-51 Preparation...... 6-51 Task 1 – Beginner: Analyze a System Probe...... 6-52 Task 2 – Intermediate: Analyze a Web Server Intrusion...... 6-55

Introducing Enterprise Intrusion Analysis v Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A SC 375 - Enterprise Intrusion Analysis for Investigators

Task 3 – Advanced: Analyzing a Buffer Overflow...... 6-58 Task 4 – Bonus: Analyzing a Web Server Defacement...... 6-60 Exercise Summary...... 6-61 Exercise Solutions...... 6-62 Task 1 – Beginner: Analyze a System Probe...... 6-62 Task 2 – Intermediate: Analyze a Web Server Intrusion...... 6-65 Task 3 – Advanced: Analyzing a Buffer Overflow...... 6-68 Task 4 – Bonus: Analyzing a Web Server Defacement...... 6-70

System Access Intrusion Analysis...... 7-1 Objectives...... 7-1 Additional Resources...... 7-2 Introducing System Access Log Files...... 7-3 System Access Logging on a UNIX® System...... 7-3 Sample System Access Log File Entries...... 7-4 Default System Access Log Locations ...... 7-5 Describing Log File Formats...... 7-6 ASCII Logs...... 7-6 Binary Logs...... 7-6 Identifying Information in System Access Logs...... 7-7 User Information...... 7-7 Time of Access Information...... 7-7 Location...... 7-7 Pseudo Terminal...... 7-8 Interpreting Standard UNIX® Access Log Files...... 7-9 Examining the messages Files ...... 7-9 Reading the /etc/syslog.conf Configuration File...... 7-10 Examining the utmpx and wtmpx Log Files...... 7-13 Examining the lastlog File ...... 7-14 Examining the sulog File...... 7-14 Interpreting Optional System Access Log Files ...... 7-16 Examining the loginlog File ...... 7-16 Examining the secure File ...... 7-17 Examining the pacct File ...... 7-18 Examining the Solaris™ Auditing Files ...... 7-19 Categorizing Events ...... 7-19 Locating the Solaris Auditing Audit Files ...... 7-20 Interpreting and Filtering Solaris Auditing Audit Files ...... 7-21 Detecting a System Intrusion with Solaris Auditing...... 7-21 Examining Log File Vulnerabilities...... 7-24 Attacking Log Files...... 7-24 Editing the wtmpx File ...... 7-25 Applying System Access Log File Correlation...... 7-26 Determining Acceptable Usage...... 7-26 Applying a Correlation Methodology ...... 7-27

vi SC 375 - Enterprise Intrusion Analysis Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A Introducing Enterprise Intrusion Analysis

Learn Which Account the Attacker Used, When, and Where...... 7-27 Determine What the Attacker Did...... 7-29 System Access Intrusion Summary...... 7-30 Module Summary...... 7-31 Exercise: System Access Intrusion Analysis ...... 7-32 Preparation...... 7-32 Task 1 – Analysis of Illegal System Access...... 7-33 Exercise Summary...... 7-36 Exercise Solutions...... 7-37 Task 1 – Analysis of a Sun SolarisTM 10 System...... 7-37

File System Intrusion Analysis...... 8-1 Objectives...... 8-1 Additional Resources...... 8-2 Introducing File System Intrusion Analysis...... 8-3 Establishing System and Utility Trust...... 8-4 Low Trust Level...... 8-4 Medium Trust Level...... 8-4 High Trust Level...... 8-4 Establishing Utility Trust...... 8-5 CD-ROM Utilities...... 8-5 Statically Compiled Utilities...... 8-5 Live UNIX® Distributions...... 8-6 Locating Backdoors on a System...... 8-7 Discovering Alternate root Accounts...... 8-8 Discovering Bound Shell Ports...... 8-9 Comparing Configuration Files...... 8-9 Checking Open Ports...... 8-9 Discovering the SUID Shell Backdoor...... 8-12 Introducing the find Command...... 8-12 Using the find Command to Locate Backdoors...... 8-12 Discovering Trusted Host Backdoors...... 8-14 Locating Rootkits on a System...... 8-15 Discovering Hidden Directories...... 8-16 Using the find Utility...... 8-16 Finding Replaced Utilities...... 8-18 Examining File Attributes...... 8-18 Examining System Calls...... 8-20 Examining File Integrity...... 8-22 Examining Programming Comments...... 8-23 Discovering Remote Command Utilities...... 8-24 Locating Remote Command Utilities...... 8-25 Discovering Network Sniffers...... 8-28 Introducing Automated File System Analysis...... 8-31 Using the Tool...... 8-32

Introducing Enterprise Intrusion Analysis vii Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A SC 375 - Enterprise Intrusion Analysis for Investigators

Conducting a File System Scan...... 8-33 Using the chkrootkit Tool...... 8-35 Conducting a File System Scan...... 8-35 Using the SolarisTM Fingerprint Database...... 8-36 Conducting a File System Scan...... 8-37 Module Summary...... 8-38 Exercise: Conducting File System Intrusion Analysis...... 8-39 Preparation...... 8-39 Task 1 – Locate SUID Backdoors...... 8-40 Task 2 – Check for Remote Command Utilities...... 8-42 Task 3 – Locating a Network Sniffer...... 8-45 Task 4 – Identifying Replaced System Utilities...... 8-48 Task 5 – Locating a Linux Rootkit Using rkhunter...... 8-50 Exercise Summary...... 8-52 Exercise Solutions...... 8-53 Task 1 – Locating SUID Backdoors...... 8-53 Task 2 – Checking for Remote Command Utilities...... 8-54 Task 3 – Locating a Network Sniffer...... 8-55 Task 4 – Identify Replaced System Utilities...... 8-55 Task 5 – Locating a Linux Rootkit Using rkhunter...... 8-58

System Memory Analysis...... 9-1 Objectives...... 9-1 Additional Resources...... 9-2 Introducing System Memory Analysis...... 9-3 Collecting System Memory Data...... 9-4 Types of Memory Information...... 9-4 System Memory Interfaces...... 9-5 Accessing the /dev/mem Device File...... 9-5 Accessing the proc File System...... 9-5 System Memory Collection Utilities...... 9-6 Using the netcat Utility...... 9-7 Using the gcore Utility...... 9-8 Analyzing System Memory...... 9-9 Converting System Memory Data Files...... 9-10 Identifying Attacker Activities...... 9-11 Module Summary...... 9-13 Exercise: System Memory Analysis...... 9-14 Preparation...... 9-14 Task – Analyze System Memory...... 9-14 Exercise Summary...... 9-16 Exercise Solutions...... 9-17

Glossary...... Glossary-1

viii SC 375 - Enterprise Intrusion Analysis Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A