ebook img

Hack in the Box (HITB) Magazine - Vol 1 Issue 3 - Jul 2010 PDF

41 Pages·2010·16.12 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Hack in the Box (HITB) Magazine - Vol 1 Issue 3 - Jul 2010

Volume 1, Issue 3, July 2010 www.hackinthebox.org Chinese Malware Factory 24 Url Shorteners Made My Day! 68 Cover Story Using Kojonet Open Source low Interaction Honeypot 4 Advertisement Vo l u m e 1 , I s s u e 3 , J u l y 2 0 1 0 E d i t o r i a l De a r R e a d e r,  Welcom e t o I s s u e 0 0 3 o f t h e H I T B M a g a z i n e !  We’re r e a l l y s u p e r e x c i t e d a b o u t t h e r e l e a s e o f t h i s i s s u e a s i t c o i n c i d e s w i t h o u r f i r s t e v e r H I T B s e c u r i t y c o n f e r e n c e i n E u r o p e - H I T B S e c C o n f 2 0 1 0 - A m s t e r d a m ! T h e d e s i g n t e a m h a s c o m e u p w i t h ( w h a t w e f e e l ) i s a n e v e n b e t t e r a n d m o r e r e f i n e d l a y o u t a n d o u r m a g a z i n e n o w h a s i t s o w n  si te ! Yo u ’ l l n o w f i n d a l l t h e p a s t a n d c u r r e n t i s s u e s o f t h e m a g a z i n e f o r d o w n l o a d hattt p : / / m a g a z i n e . h i t b . o rhgt t po:r/ / m a g a z i n e . h a c k i n t h e b o x . o r g / .  Al so i n c o n j u n c t i o n w i t h o u r f i r s t E u r o p e a n e v e n t , w e h a v e l i n e dE d i t o r - i n - C h i e f   up an i n t e r v i e w w i t h D u t c h m a s t e r l o c k p i c k e r a n d f o u n d e r o f T h e Z a r u l S h a h r i n O p e n O r g a n i z a t i o n o f L o c k P i c k e r s ( TO O O L ) B a r r y We l s . E d i t o r i a l A d v i s o r We h o p e y o u e n j o y t h e i s s u e a n d d o s t a y t u n e d f o r I s s u eD h0 0i l4l o n A n d r e w K a n n a b h i r a n  which w e’ l l b e r e l e a s i n g i n O c t o b e r a t H I T B S e c C o n f 2 0 1 0 - M a l a y s i a . I n a d d i t i o n t o t h e e l e c t r o n i c r e l e a s e , w e’r e h o p i n g tToe c h n i c a l A d v i s o r  hHaITvBeS ae cvCeor yn f‘ l2i 0m1i0t e -d M eadliatyi osni a’ !p r i n t i s s u e e x c l u s i v e l y f o r a t t e n d e e sG oyf n v a e l C o l d w i n d D e s i g n  Enjoy t h e s u m m e r a n d s e e y o u i n O c t o b e r ! S h a m i k K u n d u We b s i t e B i n a D h i l l o n A n d r e w K a n n a b h i r a n E d i t o r i a l A d v i s o r H a c k i n T h e B o x – K e e p i n g K n o w l e d g e Fr e e d h i l l o n @ h a c k i n t h e b o x . o r g h t t p : / / w w w. h a c k i n t h e b o x . o r g h t t p : / / f o r u m . h a c k i n t h e b o x . o r g  ht t p : / / c o n f e r e n c e . h a c k i n t h e b o x . o r g   InF OrMa tI On SeC UrIt y C OVer StOry Non-Invasive Invasion  Using Kojonet Open Source Low Making the Process Come to You 48   Interaction Honeypot 4 IAT and VMT Hooking Techniques 62   A Brief Overview on Satellite Hacking 16 web SeCUrIty Malware analySIS URL Shorteners Made My Day! 68  Chinese Malware Factory 24 bOOK reVIew   wIndOwS SeCUrIty ModSecurity Handbook 76  Reserve Objects in Windows 7 34 InterVIew   applICatIOn SeCUrIty Barry Wels 78 Javascript Exploits with Forced  Timeouts 42 C o n t e n t s information security Using Kojonet Open Source low Interaction Honeypot to develop defensive Strategies and Fingerprint post Compromise attacker behavior By Justin C. Klein Keane, INFORMATION SECURITy INFORMATION SECURITy oneypots can be used to monitor word guessing attacks against SSH servers. tions for deploying a honeypot. Some honey- the overhead of configuring and deploying attacker behavior during and af- Much like port scanning3, SSH brute force at- pots are deployed to distract attackers from honeypots7, tools designed to significantly ter compromise of a system set up tacks have become a part of the background more valuable assets and to waste attacker streamline post compromise analysis simply Hfor this express purpose. Although noise of the internet. Virtually any adminis- resources on “fake” targets. This strategy is do not yet exist. Without adequate time and we can only guess at attacker motivation, trator running an SSH server need look no of debatable merit as there is little chance suitable analysts much of the value of honey- through traffic analysis we are able to infer further than their SSH server logs to find evi- of accurately gauging the success of such a pots is lost. the types of resources that attackers consider dence of password guessing attacks. honeypot, especially if compromise of legiti- valuable. The preponderance of log evidence mate assets goes undetected. Another use For all of these reasons honeypots should only of failed SSH attempts by unknown users im- SSH BRUTE FORCE ATTACKS of the honeypot is as a type of early warning be deployed with extreme caution and only plies that SSH servers are assets to which at- Given the preponderance of SSH brute force system. If the honeypot detects malicious after consultation with others within your or- tackers are attempting to gain entrance. attacks it is worthwhile to explore the motiva- traffic from an asset within the organization ganization to determine acceptable risk. tions of attackers. Unfortunately, without any a compromise can be inferred. Where the By deploying honeypots that simulate re- data, these motivations remain a mystery. In honeypot returns its most value, however, is High Interaction Honeypots sources we know attackers will target, name- order to attempt to understand the goals of when exposed to the internet in order to ob- Traditional honeypots consist of full systems ly SSH servers, we are able to catalog post attackers, or defend against them, it becomes serve and analyze attack traffic and attacker that are set up and configured from the hard- compromise behavior. Because certain hon- necessary to collect concrete data about SSH behavior independent of an organization’s ware layer up to the application layer. Such a eypots present inherent risks, utilizing soft- brute force attacks. internal configuration. ware based, low interaction, honeypots we can mitigate risk while still providing a rich One goal of collecting data about brute force There are a number of reasons why honeypots Low interaction honeypots were target environment within which to collect attacks is to fingerprint post compromise be- are difficult to deploy in this last mode. In ad- data about attacker activity. havior. We assume that the goals of attackers dition to significant time requirements, there developed to address many of the are separate and distinct from those of regular is also inherent difficulty in setting up a sys- INTRODUCTION system users. Because malicious users are at- tem that is attractive to attackers. Additionally, deficiencies of traditional, Secure Shell, or SSH, is an encrypted remote tempting to utilize system resources in non- such a system will likely invite damage by the connection mechanism common on most Li- traditional ways it may be possible to spot target attackers and will require a rebuild after high interaction honeypots nux and Unix operating systems. The SSH pro- this type of anomalous behavior. It may be im- use. Furthermore, it is no simple task to con- tocol was defined by Ylonen and Lonvic in RFC possible to identify malicious users based on figure an effective monitoring system that will 4254 of the Internet Engineering Task Force1. usernames and passwords alone, for instance not alert an attacker to observation. configuration provides a rich environment for SSH allows users to authenticate to remote in the case that an attacker has compromised, attackers to interact with and can serve to col- machines and access an interactive command or guessed, a legitimate user’s credentials. In addition to logistical considerations, of sig- lect data about a wide variety of vulnerabilities, line, or shell. Although SSH can be configured For this reason fingerprinting behavior im- nificant concern in deploying such a honeypot attack methods, and post compromise behav- to use alternate ports, the well known port 22 mediately following a successful authentica- on the internet is the possibility for “down- ior. By providing an attacker with a realistic en- is registered for SSH2. There are many meth- tion becomes important. Fingerprinting is the stream liability”6. If such a system were to be vironment you are most likely to collect useful ods available for SSH authentication in most process of identifying trends or commonali- compromised by attacker, and then the at- intelligence. Honeypots of this style are known implementations. The default method of au- ties amongst attacker behavior (consisting of tacker were to use the system as a pivot point as “high interaction honeypots” because they thentications in many distributions, however, system commands issued) that might distin- or launching pad to attack other resources provide the widest array of response. is based on username and password. guish it from legitimate user behavior. If it is there could be serious consequences. If the possible to develop a signature of malicious honeypot were used to attack third party sys- High interaction honeypots have significant behavior then that signature can be used to tems then the honeypot maintainer could be downsides. Careful consideration must be One goal of collecting data about identify compromise. This process would not culpable in facilitating a compromise. If the given to the configuration of egress rules for prevent attacks, but would suffice to alert ad- honeypot were used to attack internal systems high interaction honeypots in order to mini- brute force attacks is to fingerprint ministrators of a compromise soon after it had then it could potentially bypass authorization mize the possibility of downstream liability. taken place to minimize damage and contain rules that prohibited connections from out- Furthermore, encrypted protocols present post compromise behavior incidents. Such early identification is critical to side hosts. Using such a pivot point whereby problems when monitoring traffic to and containing damage caused by intrusions and an attacker compromised the honeypot in from a high interaction honeypot. These rea- Given the ability to access many SSH servers forms an additional layer of defense, support- order to attack other assets that might not be sons combined with the high deployment, using simple usernames and passwords over ing the defense in depth principle. routable from the wider internet could create rebuild, and maintenance overhead make a well understood protocol, it is unsurpris- significant problems. high interaction honeypots unattractive to ing that brute force, or password guessing, HONEYPOTS many organizations. attacks against SSH servers have become Honeypots were first popularized by the Furthermore, to be of any value, a honeypot common. The SSH protocol is open and well Honeynet Project4 and Lance Spitzner’s must be analyzed after it is compromised. Low Interaction Honeypots defined. Several developer libraries and API’s Know Your Enemy5. A honeypot is a vulner- This forensic work can often be extremely Low interaction honeypots were developed to exist to implement SSH clients quickly and able, or deliberately insecurely configured time consuming and may or may not result address many of the deficiencies of traditional, easily. Many automated attacker tools allow system that is connected to the internet and in valuable intelligence. Even though the ad- high interaction honeypots. Low interaction users to easily perform point-and-click pass- carefully monitored. There are many motiva- vent of virtualization has significantly reduced honeypots consist of software systems that 6 HItb MagazIne I JUNLyE 2 2001100 JULy 2010 I HItb MagazIne 7 INFORMATION SECURITy INFORMATION SECURITy simulate specific aspects of complete systems. attacker would typically move onto a com- attacks from the same IP address was 135 China (118) Because they are implemented in software, promised system. days wherein a single IP address participated romania (111) low interaction honeypots present significant in over 6 distinct attacks. safety improvements over high interaction Considerations with Kojoney US (52) honeypots. Low interaction honeypots can Because Kojoney is open source it is easily cus- Most popular time Korea (27) 11 strictly monitor and limit both inbound and tomizable . However, the source code is also Examining the timing of attacks based on the Spain (25) outbound traffic. Low interaction honeypots freely available to attackers. It is worthwhile, time of day on a 24 hour scale in Eastern Stan- can restrict functionality and can more safely therefore, to spend some time customizing dard Time yields some interesting informa- Italy (17) contain malicious attacker activity. the output of Kojoney in order to implement tion. Attacks seem to be fairly evenly spaced germany (14) any additional functionality desired as well as throughout the day but spike around noon brazil (14) METHODOLOGY to evade detection attempts by attackers. and late at night. The hour between noon 8 For the purposes of this study, Kojoney , and 1 PM saw the most activity with 9,017 France (11) written by Jose Antonio Coret, was used As with all software, Kojoney is not immune login attempts. netherlands (11) 12 as a foundation. Kojoney is an open source from security vulnerabilities . It is important UK (11) low interaction honeypot implemented in to follow security news outlets for notification The number of attacks over months seemed Python. Kojoney simulates a SSH server, lis- of any vulnerability discovered in Kojoney, or to vary somewhat as well, with sharp spikes Macedonia (7) tening on port 22. Kojoney uses the popular its supporting packages, and keep your in- in the number of attacks in January 2010 and Canada (7) 9 10 OpenSSL and Python’s Twisted Conch li- stallation up to date. April 2010. The following table does not in- russia (7) braries to negotiate SSH handshakes and set clude data from October 2009 and May 2010 Figure 4. Attacker IP by Country up connections. Deficiencies because collection during those months was taiwan (7) Kojoney deliberately limits functionality. Al- limited to a few days. mania (a country with less than 2% of China’s India (6) Kojoney utilizes a list of usernames and pass- though the installation utilized for this study population), was the source of roughly the Figure 2. Distinct IP’s by Month words that can be used to access the system. was heavily modified there was certain func- same number of attacks as China. The US was Month and year number of login attempts distinct Ips This means that not all connection attempts tionality that was not simulated. The most the third most common place of origin, but November 2009 9,464 69 will be successful. Once a connection has noticeable of these was the inability for an December 2009 11,114 76 had half the total number of distinct IP ad- been established Kojoney presents attackers attacker to interact with packages that were January 2010 25,385 99 dresses of China and Romania. Together, Chi- with what appears to be an interactive shell. downloaded. This meant that attackers could February 2010 18,439 81 na, Romania, and the US accounted for nearly March 2010 11,515 88 Commands issued by attackers are inter- download toolkits but they could not actu- half of all the distinct IP addresses of origin April 2010 22,477 137 preted by Kojoney and attackers are returned ally inflate compressed packages or execute for attacks. responses based on definitions from within binaries. Kojoney responds with a vague er- Examining the popularity of certain days for the Kojoney package. The only system func- ror message if it cannot simulate functional- attacks also provides some interesting in- It is important to note that the geographic lo- tionality available to attackers is ‘wget’ or ‘curl’ ity. When attackers encounter this behavior it sight. Apparently Sunday and Wednesday are cation of IP assignments may not necessarily for fetching remote files. However, even this is common for their session to end. Because the most popular days to launch SSH brute correspond with their physical address, nor functionality is limited. Any material down- Kojoney does not simulate a full system once force attacks. Given the global nature of the does it necessarily correspond to the nation- loaded by Kojoney at the direction of attack- an attacker attempts complex interaction, it internet and timezone differences, however, ality of the attacker. It is entirely possible that ers is actually stored in a location specified by was common for attackers to terminate their this data may not provide any real value. attacks observed were carried out from com- the Kojoney configuration. After download, sessions after encountering commands that Figure 3. Attacks by Weekday promised hosts controlled by a third party the attacker is not able to interact with the do not produce desired results. day of week number of login attempts located at a totally different internet or geo- retrieved material. This allows for the capture Sunday 20,674 graphic location. of malware, rootkits, or other material that an RESULTS Monday 11,211 Tuesday 9,248 For the purposes of this study a modified Most popular usernames Wednesday 23,484 Kojoney low interaction SSH honeypot was 13,554 distinct usernames were attempted Thursday 18,098 Figure 1. Hours of Attack deployed on commodity hardware and con- Friday 14,141 over 109,121 login attemts. Usernames were HItS nected to the live internet with a dedicated Saturday 12,265 interesting because there were many com- 10000 IP address. Kojoney was configured to run on Countries mon system usernames (such as root) or 9000 the standard SSH port 22 with a separate in- IP addresses are assigned to internet service usernames associated with services, such as 8000 terface configured for management. The sys- providers in blocks that are then subdivided to oracle, postfix, backuppc, webmail, etc. Some 7000 tem was left on and running consistently over their customers. Using these assignments it is usernames such as jba120 could potentially 6000 a period of roughly six months from October possible to locate the country to which a spe- have been harvested from previously compro- 5000 27, 2009, to May 3, 2010. During this time cific address is assigned. Examining the data for mised systems or generated by brute force. 4000 109,121 login attempts were observed from country assignments of IP addresses which par- Some usernames, such as ‘aa’ , were most cer- 3000 596 distinct IP addresses. Of these distinct IP ticipated in attacks provides some stark details. tainly generated via brute force. Some user- 2000 addresses over 70 participated in brute force names such as ‘P4ssword’, ‘Access’ and ‘denied’ 1000 attacks separated by more than 24 hour time China contained the highest number of dis- may have resulted from misconfigured attack 0 tIMe 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 intervals. The longest span of time between tinct IP addresses for attacks. However, Ro- utilities. ‘Root’ was by far and away the most 8 HItb MagazIne I JULy 2010 JULy 2010 I HItb MagazIne 9 INFORMATION SECURITy INFORMATION SECURITy popular username, accounting for nearly half Figure 6. Common Passwords (45,403), of all attempts, compared with the password Count next most popular username, ‘test’, with 4,128 123456 2361 attempts, then ‘admin’ and ‘oracle’ with over root 2111 1,000 followed by 62 other usernames with test 2084 password 1283 ls (538) more than 100 login attempts. While many qwerty 855 of these were common system accounts or 1234 839 common names (such as ‘mike’ or ‘michael’, 123 690 cat/proc/cpuinfo (94) the 67th and 60th most common username 1q2w3e 615 uname (179) ls -a (255) respectively) there were some interesting 12345 546 stand outs. The username ‘prueba’ (Spanish cohraacnlge eme 46210 [blank] (196) cd (338) for proof ) was used 149 times (the 56th most abc123 376 common name) from 19 different IP address- welcome 369 es. Surprisingly these 19 IP addresses were admin 337 w (303) wget (308) spread across the globe and not necessarily 1a2b3c 315 redhat 314 all from Spanish speaking countries. Other master 309 interesting common usernames were ‘zabbix’ ad4teiubesc26051986 295 (an open source network monitoring utility) 111111 280 with 118 attempts, ‘amanda’ (a common Unix 1 270 Figure 4. Distinct Commands Figure 4. Commands with Arguments backup service) with 143 attempts, ‘ts’ with INFORMATION SECURITy INFORMATION SECURITy also executed commands on the honeypot. 150 times the ‘cat’ command was used, the root is the most common target is be confident that legitimate users is important to note that it is possible Furthermore, sessions were delimited by full command issued was ‘cat /proc/cpuinfo’, likely attributable to the fact that only required access during certain some IP addresses to represent ag- time delays of more than an hour between which is used to display processor informa- this account has the most power, time ranges. Great care would need gregation points, or rotating pools, command execution. For instance, if an at- tion. This type of command is not typical for but also because it appears on most to be taken with such a remediation, for multiple users and not all traffic tacker logged in, executed commands, then a normal system user. Unix systems. Choosing strong pass- however, to prevent a nightmare originating from the identified IP ad- waited for more than an hour before execut- words seems like a safe strategy for scenario where a legitimate admin- dresses is necessarily malicious. • ing additional commands then the interac- Although some common commands ob- protecting the system accounts, but istrator or user might be unable to tion was counted as two sessions. A total of served in the Kojoney session captures could even more effective would be to respond to a crisis occurring in off >> references 248 attacker sessions were identified issuing potentially be attributed to normal users, oth- prohibit interactive login over SSH hours due to login restrictions. a total of 3,062 commands. The average ses- ers clearly stand out. The ‘w’ command, which for the root account. By disabling 1. Ylonen, T., Lonvick, C., Internet Engineering Task Force, RFC 4254, ehT sion lasted for 4.1 minutes during which the is used to report on which users are logged SSH root login, nearly half of all Some of the greatest utility in de- S eruc lehS )HS( eno c C noit ,lo o c to r P attacker issued 12 commands. The longest into the system, and the ‘uptime’ command, brute force attacks observed would ploying a Kojoney based honeypot is r/gro. r/cf ftei. w/:pth4cf w w 254xt. t session lasted for an hour and 10 minutes. which reports how long the system has been have been thwarted. in its ability to detect attacks from IP (January, 2006) on, are not regularly used by non-system ad- ranges within an organizations net- 2. Internet Assigned Numbers Authority (IANA), ro P t ,bmuN sre ai. .an w/:pth w w By far the most common command in any ministrators. Similarly, the ‘uname’ command All attacker behavior was observed work. Based on the fact that some p/stnemngisa/g ro ro bmu sre n-t session was the ‘w’ command, occurring in is generally utilized to determine the kernel on the standard SSH port 22. Running attackers were observed attempting 3. Wikipedia, ro P t ,aren cs /:pth 74% of sessions. Wget was used in over 58% version that is running, which could perhaps SSH on an alternate port would al- to download SSH brute force tools it rokiw.ne pi kiw/g e a P/iro.aid ren cs_t of sessions as was uname. The uptime com- be used to search for vulnerabilities. most certainly cut down on the num- is likely that compromised SSH serv- 4. The Honeynet Project, .w/:pth w w g ro. tenyenoh mand was issued in 35% of sessions. ber of attacks, although such a solu- ers are sometimes used as SSH brute 5. L. Spitzner, wKon ruo Y .y menE Addison- Monitoring command execution on systems tion could confuse legitimate users force scanners. Detecting an internal Wesley, 2002. Figure 7. Commands in Sessions seems like a worthwhile exercise given the and result in increased support costs. attacker could provide extremely 6. Downstream Liability for Attack Relay C wo mmand number1 o8f4 Sessions results of this data. Replacing the ‘w’, ‘uptime’ Brute force detection and preven- valuable evidence in an incident de- p.fd p/e ae tilibaiL_mD/fd rtsnw vihc aory nd Amplification. rec. /g ro.w/:pth t w w ls 155 or even ‘wget’ command with a binary that tion countermeasures, such as SSH tection or response. 7. N. Provos and T. Holz, ri V la ut wget 146 would log the execution of such a command Black15, OSSEC active response, or pyenoH.sto Addison-Wesley, 2008. uname 144 before executing the intended target could the use of OpenSSH’s MaxAuthTries Examining malware or attacker 8. Coret, J., Kojoney low interaction SSH cd 122 provide some insight into the usage of such configuration specifications could all toolkits downloaded to the Ko- honeypot,ten . e g r o f e c r u o s . y e n o j o k / / : p t t h cat 105 9. The OpenSSL Project, .w/:pth w w uptime 86 utilities. Using a log file monitoring system be worthwhile. An even more effec- joney honeypot could also prove /gro. po lsne ps 84 such as OSSEC, system administrators could tive solution would be to eliminate valuable. Although a wide variety 10. Twisted Matrix Labs Conch Project, [blank] 76 easily keep watch over such commands to the use of username and password of packages was not observed, ejco /strp/mo t/:pth e c.xirtamd tsiw passwd 67 alert on suspicious behavior14. authentication altogether. Many SSH the character of the packages that hcno c exit 47 11. Klein Keane, J., gg n n i i dd s n n U a e t x E id 44 servers provide functionality for key were downloaded is illustrative of .yt .e o np H o y w S w j e w S n /o o / K H : p t t h tar 33 Given the sophistication of the usernames authentication. There is additional the goals of attackers. Additionally, 2=e l c i t r a ? / t e n . h s i r i4d a m 2 (May 22, 2009) mkdir 21 and passwords utilized by attackers a number administrative overhead in imple- developing hash fingerprints of at- 12. Nicob, [Full-disclosure] Kojoney (SSH pwd 18 of defensive strategies present themselves. It menting key based authentication, tacker tools or components could honeypot) remote DoS. Feb 24, u renbsoeot t 163 is interesting to note the complexity of user- and it is not as portable, but it is cer- aid in the detection of these mate- 23/dib 081309. 5/moes. tiruc c. w/:pth ofy suc w w chmod 13 names and passwords utilized by attackers. tainly more secure. rials on other systems, which could 13. psyBNC Homepage, .w/:pth w w rm 12 Outside of system passwords, common user- be used to detect compromises. As /ta. cnbysp ftp 12 names were not necessarily attempted with Examining the IP source of attacker with high interaction honeypots, 14. OSSEC Open Source Host-based Intrusion Detection System, /:pth ifconfig 12 common passwords. For instance, the data behavior shows that there are cer- forensic analysis of this malware is ten. eso. c w w w kill 11 shows no attempts to log in using the user- tain IP blocks, that if not used by time intensive and may not provide 15. sshblack script homepage, . ww/w / : p t t h perl 11 name ‘alice’, a relatively common name that legitimate system users, could cer- a very high return on investment. lmt h . k c a l b h s s / e d o c / g r o . s r e g n i t t e p history 11 dir 10 would appear at the beginning of a diction- tainly be blocked to great effect. FURTHER READING ary list of names, with the password ‘pass- Locating and blocking specific IP The actual IP addresses captured Wolfgang, N., HS eturB :e c ro F S dno e c CONCLUSIONS word’. From this observation, as well as the ranges could dramatically cut down by the Kojoney honeypot are prob- spetS fo a n .re kcat A . le xe rd. c. s w/:pth w w Based on the data collected for this study fact that the top 20 usernames attempted on the amount of SSH brute force at- ably of the greatest value of all the e4wkn~/ud 2a_gngflo W/hc aese r r/ it is clear that attackers utilize many of the were system accounts, we can conclude that tacks, but again could create hassle collected data. Because the hon- p. fdspe S tSdno e c (September 6, 2008) same commands as legitimate system users, attackers probably do not focus their efforts for legitimate users and requires a eypot was deployed on an unused such as ‘ls’ and ‘cat’. The context of these com- on breaking into user level accounts. certain degree of administration. and un-advertised IP address it is a mands makes them distinct, however. Many justifiable conclusion that all traffic of the ‘ls’ commands, which are typically used Given the breakdown of username choices There do not appear to be strong observed by the honeypot was de- for directory listing, seemed innocuous, but in brute force attacks it seems that system trends in the times that attackers at- liberate and malicious. By identify- the ‘cat’ commands were typically used for accounts are by far the most utilized. This tempt brute force attacks. Limiting ing these malicious IP addresses it peering into the contents of system configu- is probably because system accounts are SSH server access to specific times is possible to scan server logs from ration files such as those that contain CPU and standard and the attacker doesn’t have to could cut down on the number of at- other machines to detect malicious memory information. In 94 of the more than ennumerate or guess them. The fact that tacks as long as administrators could activity on other assets. Although it 12 HItb MagazIne I JULy 2010 JULy 2010 I HItb MagazIne 13 INFORMATION SECURITy HITB Jobs 100 MosT CoMMon Logins ti y t i r u c e S t n e m t i u r c e r Username Count Username Count Username Count Username Count root 45403 mailtest 266 student 167 alex 90 test 4128 service 263 testing 166 usuario 90 admin 1396 fax 259 temp 161 linux 89 oracle 1287 squid 250 games 156 mythtv 89 user 881 public 242 cyrus 153 roor 88 guest 872 video 240 prueba 149 marketing 86 postgres 773 print 232 amanda 143 server 85 webmaster 540 http 226 teste 141 ftpguest 82 mysql 538 help 218 test1 134 support 81 nagios 536 sysadmin 216 michael 127 www-data 76 tester 480 webalizer 212 upload 120 netdump 70 ftp 456 sysadm 207 ts 119 paul 67 backup 444 html 202 apache 118 john 67 web 436 printer 202 zabbix 118 daemon 67 administrator 384 helpdesk 200 news 116 uucp 67 info 359 rootadmin 199 master 103 david 65 ftpuser 343 sale 199 mike 101 users 65 sales 336 nobody 198 rpm 100 adam 63 office 331 webmin 198 user1 99 gdm 63 tomcat 323 mailadmin 198 condor 99 informix 62 webadmin 313 mailftp 197 prueva 97 wwwrun 61 postfix 306 mailuser 196 sshd 96 spam 60 mail 305 www 194 TeamSpeak 96 adrian 60 toor 301 operator 187 test2 94 students 59 testuser 268 adm 168 123456 93 samba 57 100 MosT CoMMon PAssWorDs Password Count Password Count Password Count Password Count 123456 2361 abcd1234 218 rootroot 142 0000 103 root 2111 user 217 [subdomain.domain]* 142 54321 103 test 2084 passw0rd 215 guest 141 internet 102 password 1283 1qaz2wsx 209 12 140 sunos 102 qwerty 855 12345678 208 [servername.subdomain]* 140 secret 101 1234 839 654321 188 password123 139 123321 101 123 690 linux 179 webmaster 132 manager 100 1q2w3e 615 1q2w3e4r 177 mail 129 qwertyuiop 95 12345 546 pa55w0rd 176 root1234 129 root1 94 changeme 460 testing 175 apache 128 [servername.subdomain.domain]* 94 oracle 421 root123 173 asdfgh 127 user123 91 !"#$%#$&%"'()&*+"',-.%(/01*23&%'*#4)&%/5%6'5/)0*2/'%7&($'/-/,.% abc123 376 1234567 172 r00t 126 server 90 8&(4)"#.% "'% #$&% 9/):;-*(&<% #$&% '&&=% 5/)% +:"--&=% 8&(4)"#.% welcome 369 123qwe 170 webadmin 125 q1w2e3r4 90 >)/5&++"/'*-+% 9"#$% )&*-?9/)-=% &@;&)"&'(&% $*+% )&*($&=% ()"2(*-% !!!!!"#$%!&'!("!(%!)*'+,-).!(%/!$)01! admin 337 123123 168 admin1 124 michael 88 -&3&-+A% 7$&/)&2(*-% :'/9-&=,&% /1#*"'&=% 5)/0% &=4(*2/'*-% 1a2b3c 315 pass 160 000000 122 abc 85 redhat 314 tester 159 321 116 zxcvbnm 85 "'+2#42/'+% *'=% "'=4+#).% (&)2B(*2/'% "+% "'+4C("&'#% #/% =&5&'=% O P((&++% #/% *% ,-/1*-% =*#*1*+&% /5% 67% 8&(4)"#.% ;)/5&++"/'*-+% master 309 mysql 155 pass123 115 123qaz 85 +&'+"23&% "'5/)0*2/'% 5)/0% 0"+()&*'#+% 9$/% 42-"D&% #$&% -*#&+#% *3*"-*1-&%5/)%"00&="*#&%$")&<%(/'#)*(#%9/):%/)%$&*=$4'2',A ad4teiubesc26051986 295 letmein 153 ftp 114 user1 84 0&#$/=+% #/% "'B-#)*#&% /),*'"D*2/'+A% E4&% #/% #$&% 4'"F4&% 111111 280 [servername]* 151 debian 112 ftpuser 82 ($*)*(#&)"+2(+% *'=% +:"--% +&#+% /5% #$"+% '"($&% "'=4+#).<% G40*'% O >-*(&0&'#% /5% *3*"-*1-&% ;/+"2/'+% 5/)% $")&% "'#/% *% #*),&#&=% 1 270 postgres 150 nagios 109 1111 81 H&+/4)(&%;&)+/''&-%*)&%/I&'%20&+%4'*1-&%#/%F4*'25.%*%;/#&'2*-% &'3")/'0&'#A information security A Brief Overview on satellite hacking By Anchises Moraes Guimarães de Paula, iDefense JULy 2010 I HItb MagazIne 17 INFORMATION SECURITy INFORMATION SECURITy and telephone transmissions by using Exhibit 1. Unidirectional Access with Terrestrial Return (also known as Satmodem)8 As a large portion of worldwide Internet users increasingly the transponder, a radio that receives a conversation at one frequency and rely on satellite communication technologies to connect then amplifies it and retransmits the signal back to Earth on another fre- to the Web, a number of vulnerabilities within these quency that a ground-based antenna may receive. A satellite normally con- connections actively expose satellites to potential tains 24 to 32 transponders, which are operating on different frequencies.4 attacks. The implications of such a successful attack are Modern communications satellites use massive, as satellites are the only means of broadcasting a variety of orbits including geosta- tionary orbits,5 Molniya orbits,6 other communications in many regions around the globe and an elliptical orbits and low Earth orbits (LEO).7 Communications satellites attacker could act from everywhere. are usually geosynchronous because ground-based antennas, which op- erators must direct toward a satellite, can work effectively without the need roadband Internet access via satel- services, such as Global Positioning Systems to track the satellite’s motion. This al- lite is available almost worldwide. (GPSs), weather forecasts, TV transmissions lows technicians to aim satellite antennas at Internet, with outbound data traveling through Satellite Internet services are the and mapping service applications based on an orbiting satellite and leave them in a fixed a telephone modem or a DSL connection, but it Bonly possible method of connect- real satellite images (such as Google Maps). position. Each satellite occupies a particular sends downloads via a satellite link at a speed ing remote areas, the sea or countries where “Although anything that is in orbit around location in orbit and operates at a particular near that of broadband Internet access. Two- traditional Internet cable connections are still Earth is technically a satellite, the term “satel- frequency assigned by the country’s regula- way satellite Internet service, also known as not accessible. Satellite communications are lite” typically describes a useful object placed tor as the Federal Communications Commis- bidirectional access or “astro-modem,” involves also widely adopted as backup connection in orbit purposely to perform some specific sion (FCC) in the U.S. The electromagnetic both sending and receiving data via satellite to providers by several organizations and coun- mission or task.”2 There are several satellite spectrum usage is regulated in every coun- a hub facility, which has a direct connection to tries for those times when the terrestrial com- types, defined by their orbits and functions: try, so that each government has its regula- the Internet (see Exhibit 2). munications infrastructure is not available, scientific, Earth and space observation, re- tory agency which determines the purpose damaged or overloaded. By the end of 2008, connaissance satellites (Earth observation or of each portion of radio frequency, according The required equipment to access satellite an estimated 842,000 US consumers relied on communications satellites deployed for mili- to international agreements. communication includes a satellite dish, a satellite broadband Internet access.1 tary or intelligence applications) and com- receiver for satellites signals, which is a low- munications, which include TV, voice and The satellite provider supports Internet ac- noise block (LNB) converter, a decoder, a Communications satellites routinely receive data connections. Most satellites are custom cess and Internet applications through the satellite modem and special personal-com- and rebroadcast data, television, image and built to perform their intended functions. provider teleport location, which connects puter software. Usually, a single device or some telephone transmissions without the to the public switched telephone network PCI card integrates the decoder and modem. proper security measures, leading to frequent Organizations and consumers have used sat- (PSTN) and the Internet. There are three types Several software programs and online tools fraud and attacks against satellite ser- ellite communication technology as a means of Internet via satellite access: one-way mul- are widely available. vices. Traditional fraud techniques to connect to the Internet via broadband ticast, unidirectional with terrestrial return and attack vectors include satel- data connections for a long time. Internet via and bidirectional access. One-way multicast Satellite Internet customers range from indi- lite TV hacking and the use of satellite provides consumers with connec- transmits IP multicast-based data, both audio vidual home users to large business sites with illicit decoding technology tion speeds comparable or superior to digi- and video; however, most Internet protocols several hundred users. The advantages of Satellites are an to hack into television sat- tal subscriber line (DSL) and cable modems. will not work correctly because they require this technology include a greater bandwidth essential part of ellite signals. In addition, Data communication uses a similar design a return channel. A single channel for data than other broadband technologies, nearly our daily lives. satellite communications and protocol to satellite television, known download via a satellite link characterizes worldwide coverage, and additional sup- are easily susceptible as Digital Video Broadcasting (DVB), a suite unidirectional access with terrestrial return, port to television and radio services. Satellite Many global to eavesdropping if not of open standards for digital television. DVB also known as “satmodem” or a “one-way ter- broadband service is available in areas that interactions properly encrypted. standards are maintained by the DVB Project, restrial return” satellite Internet system, and terrestrially based wired technologies (e.g., rely on satellite an international industry consortium. Ser- this type of satellite access uses a data uplink cable and DSL) or wireless technologies can- SATELLITE BASICS vices using DVB standards are available on channel with slower speed connection tech- not operate. The disadvantages, however, are communications Satellites are an essential part every continent with more than 500 million nologies (see Exhibit 1). numerous: weather conditions (rain, storms or satellite- of our daily lives. Many global DVB receivers deployed, including at least or solar influences) might affect satellite com- interactions rely on satellite com- 100 million satellite receivers.3 Communica- Unidirectional access systems use traditional munications, satellites demand expensive powered munications or satellite-powered tions satellites relay data, television, images dial-up or broadband technology to access the hardware and have a complex setup (install- services. 18 HItb MagazIne I JULy 2010 JULy 2010 I HItb MagazIne 19

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.