To erase its traces to remain furtive
All hacker being introduced into a connected system (=attaquant then intruding!! ) seeks with:
- to mask the traces of its passage
- not to be made take following an intrusion.
A good hacker owes autodiscipliner if he wants to last.
Any intrusion in a system is regarded as an offence in France and a penally reprehensible behavior everywhere else.
Regulate survival 1: encoding
Regulate survival 2: to organize its connection
Regulate survival 3: to manage the account user
Regulate survival 4: to sweep behind oneself
Regulate survival 5: to handle the logs
Regulate survival 6: to handle the safety programs
Regulate survival 7: who is the administrator?
--------------------------------------------------------------------------------
Regulate Survival 1: to protect very given by cryptant it
Against:
the system administrators reading the emails:
authorities recording the phone numbers
justice seizing your computer with the data of hack
How:
The beginners need only PGP, a software of cryptography of fichers and hard drive
Do not forget! : the use of the software of cryptography
Cryptor of hard drive
MSDOS: SFS v1.17 or SecureDrive 1.4b
Amiga: EnigmaII v1.5
Unix: CFS v1.33
Cryptor of file
Triple OF
IDEA
Blowfish
E-mail Cryptor
PGP v2.6.x
Cryptor of phone conversations
Nautilus v1.5a
Cryptor of sessions telnet
HS
Of-Login
Safeguards of the encrypted data
Km No or WIN ZIP
ARJ
Regulate Survival 2: to organize its intrusion to avoid being identified
What? :
An attempt at intrusion can be detected. It is not necessary that the intruder can be identified and found
Against:
Any system administrator can very easily identify an intruder in:
checking the files log recording any activity
to analyze the files spies (sniffers) installed by the intruder
to use programmes of audit like loginlog,
to check connections in progress with “netstat”
How:
To use a waiter of attack enters the waiter of origin and the target waiter
The waiter of origin:
initial waiter from which the hacker is connected to Internet, generally by phone call (access dialup to a supplier of access for example)
rules:
the dialup does not make necessary to modify the logs of activity on the waiter of origin (addresses IP allocated dynamically).
NOTHING to modify on this waiter
to use several accounts users
to change supplier of access every two months
to crack the passwords ONLY on the PC or the appealing machine
The waiter of attack
waiter plug on which the hacker has an account with an access ROOT.
By using various suppliers of access each day it will not be necessary to use a waiter of attack
rules:
located preferably abroad
to modify the files log to erase the traces of its passage
to change waiter of attack every two weeks without re-use before 1 month
to use a program of reference to carry out ISS, SATAN. : called on a special port, this program automatically opens a connection with another waiter
not to launch the programs like ypx, iss, Satan… that after them to have famous: they will not appear in light in the list of the processes in the course of execution (PS - L under Unix)
not to return of parameters in the lines of orders of launching of the programs like telnet, but to use the internal orders
“telnet” then “open target.host.com”…
The target waiter
waiter targets that the hacker seeks to penetrate.
rules:
located Preferably abroad
not to create a user on a target system but rather to leave a program reinterrogate (“bakdoor " like ping, quota gold login then to use fix to correct the atime and mtime
to make “W” to examine the connected users. If the address of the waiter of attack appears in the references, to make “rlogin target waiter” so that the address is transformed into something like “tty00”
To make safe the organization of the modes of connections
To use
Hacker/Waiter of origin: preferably an access via modem for connection by dialup.
Hacker/waiter of attack: telnet of the waiter of origin on the waiter of attack
Target Hacker/waiter: telnet of the waiter of attack on the target waiter
Rules
The waiter of origin can know the appealing number.
Not to use its real phone number but to pass by a system of recall (carding/bluebox/hack of a PABX) This precaution is sometimes useless because the telcos (private - ATT - or public - Denmark -)
Former customers telnet export the variable TO USE. By modifying the telnetd an administrator can obtain the name of all connected
The new versions export the variables UID, EMAIL and HOME
For any telnet, it is thus necessary to change the variables TO USE, UID, EMAIL and PWD, HOME.
The recommendation
To change the variables of environment of your telnet:
under win: to reach the parameters of configuration system and software
under Unix:
HS: <>=<_value>; export <>; example: USER=nobody; export TO USE
HSC: setenv <> <_value>; example: setenv TO USE nobody
Regulate Survival 3: to manage its account user on the waiter of origin
Against:
administrators of the waiter on which the account user is
How:
Not to use its account user for all that milked with the activities of Hack
Not to leave files or tools of Hack on its repertory user
Systematically to remove the emails received on the mail server (if POP3 to use get + delete)
Not to use its real address email (order EXPN of sendmail under Unix!)
To agree to receive or send only encrypted messages
Regulate Survival 4: nothing to leave in the repertories HOME or TMP of the waiters
What? :
Files of history of launching of Shell Unix
Any order can be memorized in a file of history: it is recommended to launch two shells to connection to check the data recorded in this file.
Files concerned according to the version of Unix
HS: .sh _history
HSC: .history
ksh: .sh _history
bash: .bash_history
zsh: .history
Backup files (backup) Unix
dead.letter, *.bak, *~
Against:
activity analyses of users by the administrators of the waiter
How:
To list all the elements modified before disconnecting itself: ls - altr
To use following orders HSC to erase the data of history without leaving traces.
mv .log out save.1
echo rm .history>.logout
echo rm .log out>>.logout
echo mv save.1 .log out>>.logout
The recommendation
'The first command you should enter after logging in with has hacked account has different Shell from the one you are currently running ace login Shell. Sayable The purpose is to history saving off the commands you' standard L in while hacking. With history check by the real to use gold sysadmin alarm clocks your presence and what you did!! Yew you are running has HSC then carries out has HS vice versa and. “
Regulate Survival 5: to include/understand and clean the “logs” of the waiters
What? :
Under Unix it is necessary to know 3 important files of log at least:
WTMP - each connection/disconnection with the hour, the waiter and the terminal concernél
UTMP - all users connected to a given moment
LASTLOG - origin of connections
Others exist, which will be approached below. Any connection by telnet, ftp, rlogin or rsh is recorded in these files.
Against:
the administrator of the target waiter can analyze these files or use statistical orders (lastlogin for example) to know:
a) as the intrusion took place
b) the waiter of origin of the intrusion
c) time and an estimate of the impact of the intrusion
How:
To erase the traces of its passage of the files basic logs WTMP, UTMP, LASTLOG.
Localization by defect of the files logs: (variable according to the distributions of Unix)
UTMP: /etc gold /var/adm or /usr/adm or /usr/var/adm or /var/log
WTMP: /etc gold /var/adm or /usr/adm or /usr/var/adm or /var/log
LASTLOG: /usr/var/adm or /usr/adm or /var/adm or /var/log or HOME/.lastlog
It is stupid to erase these files on the target waiter: the administrator will know immediately that the intrusion took place
It is recommended to use a programme of modification of these files logs.
ZAP (gold ZAP2): replacement of the last data of connection by zeros
Not very effective because the CERT distributes programs checking the data to zero.
CLOAK2: modification of the data
CLEAR: obliteration of the data
There does not exist simple solution to clean UTMPX or WTMPX
Authorization necessary:
Normally these modifications are not possible that by ROOT
If access ROOT were not obtained, it is enough for certain versions to Unix to make a rlogin at the time of your connection on the waiter to modify - the LASTLOG, - data UTMP (unobtrusive)
To find and handle all the others fichers log
To find all the files open
As all the files log write some share, to use program LSOF - LiSt Open Files - to identify all the opened files, to check their contents and possibly to modify it
To find all the files modified after connection
Just after connection to make “touch /tmp/check” before continuing to work.
Thereafter to make “find/- newer /tmp/check - print” or “find/- ctime 0 - print” or “find/- cmin 0 - print”, to check the files, to identify the files of audit and to modify them.
To check the repertories by defect
/usr/adm, /var/adm or /var/log.
To check the distant waiters receiving the logs (messages sent to @loghost)
Problem: to penetrate the waiter of logs and to handle the transport… very complicated
To eliminate the name from intrusion of the messages to be dispatched: “grep - v evil.host.com messages > /tmp/tmpfile; mv /tmp/tmpfile messages”
To check the configuration of the syslogs
The program syslog records the logs in non-standard files.
Its file of configuration is /etc/syslog.conf. :
The entries kern.*, auth.* and authpriv.* must be checked
The parameterized exits must be checked
- the files can be modified
- the distant waiters are identified
- the users recipients are defined: in this case it is necessary to generate false logs to drown yours: “echo 17:04 12-05-85 kernel sendmail [243]: can' T solves bla.bla.com > /dev/console”.
To handle the logs under format text
To use:
grep-v
linecount WC with destruction of the 10 last lines (“head - LineNumbersMinus10”
editor of file
To handle the logs under format given
To identify the program managing the data
to obtain the program
to find the structure of the data file
to adapt zap, clear, cloak,… to produce structured files in the same way
To handle the logs of accounting
to use acct-cleaner zhart
To obtain the programs necessary
LIST PROGRAMMES OF MODIFICATION OF THE LOGS
ah-1_0b.tar Changes the entries of the logs of accounting
clear.c Obliteration of the entries in utmp, wtmp, lastlog and wtmpx
cloak2.c Change of the entries in utmp, wtmp and lastlog
invisible.c Rewritten utmp, wtmp and lastlog with preset values.
marryv11.c Publishes utmp, wtmp, lastlog and given accounting - ***
wzap.c Obliteration of the entries in wtmp
wtmped.c Obliteration of the entries in wtmp
zap.c Rewritten utmp, wtmp, lastlog - Attention: detectable!!!
The recommendation
“To modify the LASTLOG without touching with the file, once connected, launching a rlogin “target waiter” with the login and not of the account hacké user. That causes to record a LASTLOGIN starting from the waiter and not starting from outside…”
Regulate Survival 6: to include/understand and handle the safety programs installed
What? :
On the made safe waiters, the safety programs are launched with periodic intervals by cron. These programs check the sizes of files or analyze the logs waiters. They can be also stored in the repertories adm or ~bin (for the sniffers)
Against:
Automated detections of programs spies installed (replaced sniffers, programs or Trojan horses) by the intruder
How:
To reach the parameters of cron.
The repertory by defect of the crontabs is /var/spool/cron/crontabs.
To check all the entries, especially the files “root” and to analyze the launched programs.
To make for example “crontab - L root”.
The programs of audit can be: tiger, cops, spi, tripwire, l5, binaudit, hobgoblin, s3,…
It is a question of knowing what they record and if they record… If they are active to record the files sniffers installed by the intruders, to make…
update of the data files of the program (to use the learning mode)
to modify the program…
To correct the results of the programmes of checking of sizes of files
These programs are very easy to write and thus difficult to identify in a target system.
For the most known here localizations by defect: (in general protected)
Program Localisation by Nom defect of éxé
tripwire /usr/adm/tcheck, /usr/local/adm/tcheck databases, tripwire
binaudit /usr/local/adm/audit auditscan
hobgoblin ~user/bin hobgoblin
raudit ~user/bin raudit.pl
l5 compiles directory l5
To modify controls:
- to modify the parameters not to control a file
to make “tripwire - update /bin/target” for example.
- to modify the list of the files to be controlled
In the event of replacement of a standard program, to use the order “touch” to modify the atime and mtime.ctime can be changed only by writing on the disc…
In the event of installation of a sniffer, crypter output data…
Regulate Survival 7: to know the system administrators
Who is root?
To find the 1 to 6 system administrators, to check the file .forward, entries of alias, sulog for root, groups “administration”, the file of the passwords.
To check the security measures of root
After being returned in their repertory, to check the files .history/.sh_history/.bash_history to find the usual orders, to check the files .profile/.login/.bash_profile to locate the aliases, to check that car-security checks or logging is not carried out, to check the repertories ~/bin with the research of the programs of audit (ls - alR ~/or ls - alH under HP UX)
All hacker being introduced into a connected system (=attaquant then intruding!! ) seeks with:
- to mask the traces of its passage
- not to be made take following an intrusion.
A good hacker owes autodiscipliner if he wants to last.
Any intrusion in a system is regarded as an offence in France and a penally reprehensible behavior everywhere else.
Regulate survival 1: encoding
Regulate survival 2: to organize its connection
Regulate survival 3: to manage the account user
Regulate survival 4: to sweep behind oneself
Regulate survival 5: to handle the logs
Regulate survival 6: to handle the safety programs
Regulate survival 7: who is the administrator?
--------------------------------------------------------------------------------
Regulate Survival 1: to protect very given by cryptant it
Against:
the system administrators reading the emails:
authorities recording the phone numbers
justice seizing your computer with the data of hack
How:
The beginners need only PGP, a software of cryptography of fichers and hard drive
Do not forget! : the use of the software of cryptography
Cryptor of hard drive
MSDOS: SFS v1.17 or SecureDrive 1.4b
Amiga: EnigmaII v1.5
Unix: CFS v1.33
Cryptor of file
Triple OF
IDEA
Blowfish
E-mail Cryptor
PGP v2.6.x
Cryptor of phone conversations
Nautilus v1.5a
Cryptor of sessions telnet
HS
Of-Login
Safeguards of the encrypted data
Km No or WIN ZIP
ARJ
Regulate Survival 2: to organize its intrusion to avoid being identified
What? :
An attempt at intrusion can be detected. It is not necessary that the intruder can be identified and found
Against:
Any system administrator can very easily identify an intruder in:
checking the files log recording any activity
to analyze the files spies (sniffers) installed by the intruder
to use programmes of audit like loginlog,
to check connections in progress with “netstat”
How:
To use a waiter of attack enters the waiter of origin and the target waiter
The waiter of origin:
initial waiter from which the hacker is connected to Internet, generally by phone call (access dialup to a supplier of access for example)
rules:
the dialup does not make necessary to modify the logs of activity on the waiter of origin (addresses IP allocated dynamically).
NOTHING to modify on this waiter
to use several accounts users
to change supplier of access every two months
to crack the passwords ONLY on the PC or the appealing machine
The waiter of attack
waiter plug on which the hacker has an account with an access ROOT.
By using various suppliers of access each day it will not be necessary to use a waiter of attack
rules:
located preferably abroad
to modify the files log to erase the traces of its passage
to change waiter of attack every two weeks without re-use before 1 month
to use a program of reference to carry out ISS, SATAN. : called on a special port, this program automatically opens a connection with another waiter
not to launch the programs like ypx, iss, Satan… that after them to have famous: they will not appear in light in the list of the processes in the course of execution (PS - L under Unix)
not to return of parameters in the lines of orders of launching of the programs like telnet, but to use the internal orders
“telnet” then “open target.host.com”…
The target waiter
waiter targets that the hacker seeks to penetrate.
rules:
located Preferably abroad
not to create a user on a target system but rather to leave a program reinterrogate (“bakdoor " like ping, quota gold login then to use fix to correct the atime and mtime
to make “W” to examine the connected users. If the address of the waiter of attack appears in the references, to make “rlogin target waiter” so that the address is transformed into something like “tty00”
To make safe the organization of the modes of connections
To use
Hacker/Waiter of origin: preferably an access via modem for connection by dialup.
Hacker/waiter of attack: telnet of the waiter of origin on the waiter of attack
Target Hacker/waiter: telnet of the waiter of attack on the target waiter
Rules
The waiter of origin can know the appealing number.
Not to use its real phone number but to pass by a system of recall (carding/bluebox/hack of a PABX) This precaution is sometimes useless because the telcos (private - ATT - or public - Denmark -)
Former customers telnet export the variable TO USE. By modifying the telnetd an administrator can obtain the name of all connected
The new versions export the variables UID, EMAIL and HOME
For any telnet, it is thus necessary to change the variables TO USE, UID, EMAIL and PWD, HOME.
The recommendation
To change the variables of environment of your telnet:
under win: to reach the parameters of configuration system and software
under Unix:
HS: <>=<_value>; export <>; example: USER=nobody; export TO USE
HSC: setenv <> <_value>; example: setenv TO USE nobody
Regulate Survival 3: to manage its account user on the waiter of origin
Against:
administrators of the waiter on which the account user is
How:
Not to use its account user for all that milked with the activities of Hack
Not to leave files or tools of Hack on its repertory user
Systematically to remove the emails received on the mail server (if POP3 to use get + delete)
Not to use its real address email (order EXPN of sendmail under Unix!)
To agree to receive or send only encrypted messages
Regulate Survival 4: nothing to leave in the repertories HOME or TMP of the waiters
What? :
Files of history of launching of Shell Unix
Any order can be memorized in a file of history: it is recommended to launch two shells to connection to check the data recorded in this file.
Files concerned according to the version of Unix
HS: .sh _history
HSC: .history
ksh: .sh _history
bash: .bash_history
zsh: .history
Backup files (backup) Unix
dead.letter, *.bak, *~
Against:
activity analyses of users by the administrators of the waiter
How:
To list all the elements modified before disconnecting itself: ls - altr
To use following orders HSC to erase the data of history without leaving traces.
mv .log out save.1
echo rm .history>.logout
echo rm .log out>>.logout
echo mv save.1 .log out>>.logout
The recommendation
'The first command you should enter after logging in with has hacked account has different Shell from the one you are currently running ace login Shell. Sayable The purpose is to history saving off the commands you' standard L in while hacking. With history check by the real to use gold sysadmin alarm clocks your presence and what you did!! Yew you are running has HSC then carries out has HS vice versa and. “
Regulate Survival 5: to include/understand and clean the “logs” of the waiters
What? :
Under Unix it is necessary to know 3 important files of log at least:
WTMP - each connection/disconnection with the hour, the waiter and the terminal concernél
UTMP - all users connected to a given moment
LASTLOG - origin of connections
Others exist, which will be approached below. Any connection by telnet, ftp, rlogin or rsh is recorded in these files.
Against:
the administrator of the target waiter can analyze these files or use statistical orders (lastlogin for example) to know:
a) as the intrusion took place
b) the waiter of origin of the intrusion
c) time and an estimate of the impact of the intrusion
How:
To erase the traces of its passage of the files basic logs WTMP, UTMP, LASTLOG.
Localization by defect of the files logs: (variable according to the distributions of Unix)
UTMP: /etc gold /var/adm or /usr/adm or /usr/var/adm or /var/log
WTMP: /etc gold /var/adm or /usr/adm or /usr/var/adm or /var/log
LASTLOG: /usr/var/adm or /usr/adm or /var/adm or /var/log or HOME/.lastlog
It is stupid to erase these files on the target waiter: the administrator will know immediately that the intrusion took place
It is recommended to use a programme of modification of these files logs.
ZAP (gold ZAP2): replacement of the last data of connection by zeros
Not very effective because the CERT distributes programs checking the data to zero.
CLOAK2: modification of the data
CLEAR: obliteration of the data
There does not exist simple solution to clean UTMPX or WTMPX
Authorization necessary:
Normally these modifications are not possible that by ROOT
If access ROOT were not obtained, it is enough for certain versions to Unix to make a rlogin at the time of your connection on the waiter to modify - the LASTLOG, - data UTMP (unobtrusive)
To find and handle all the others fichers log
To find all the files open
As all the files log write some share, to use program LSOF - LiSt Open Files - to identify all the opened files, to check their contents and possibly to modify it
To find all the files modified after connection
Just after connection to make “touch /tmp/check” before continuing to work.
Thereafter to make “find/- newer /tmp/check - print” or “find/- ctime 0 - print” or “find/- cmin 0 - print”, to check the files, to identify the files of audit and to modify them.
To check the repertories by defect
/usr/adm, /var/adm or /var/log.
To check the distant waiters receiving the logs (messages sent to @loghost)
Problem: to penetrate the waiter of logs and to handle the transport… very complicated
To eliminate the name from intrusion of the messages to be dispatched: “grep - v evil.host.com messages > /tmp/tmpfile; mv /tmp/tmpfile messages”
To check the configuration of the syslogs
The program syslog records the logs in non-standard files.
Its file of configuration is /etc/syslog.conf. :
The entries kern.*, auth.* and authpriv.* must be checked
The parameterized exits must be checked
- the files can be modified
- the distant waiters are identified
- the users recipients are defined: in this case it is necessary to generate false logs to drown yours: “echo 17:04 12-05-85 kernel sendmail [243]: can' T solves bla.bla.com > /dev/console”.
To handle the logs under format text
To use:
grep-v
linecount WC with destruction of the 10 last lines (“head - LineNumbersMinus10”
editor of file
To handle the logs under format given
To identify the program managing the data
to obtain the program
to find the structure of the data file
to adapt zap, clear, cloak,… to produce structured files in the same way
To handle the logs of accounting
to use acct-cleaner zhart
To obtain the programs necessary
LIST PROGRAMMES OF MODIFICATION OF THE LOGS
ah-1_0b.tar Changes the entries of the logs of accounting
clear.c Obliteration of the entries in utmp, wtmp, lastlog and wtmpx
cloak2.c Change of the entries in utmp, wtmp and lastlog
invisible.c Rewritten utmp, wtmp and lastlog with preset values.
marryv11.c Publishes utmp, wtmp, lastlog and given accounting - ***
wzap.c Obliteration of the entries in wtmp
wtmped.c Obliteration of the entries in wtmp
zap.c Rewritten utmp, wtmp, lastlog - Attention: detectable!!!
The recommendation
“To modify the LASTLOG without touching with the file, once connected, launching a rlogin “target waiter” with the login and not of the account hacké user. That causes to record a LASTLOGIN starting from the waiter and not starting from outside…”
Regulate Survival 6: to include/understand and handle the safety programs installed
What? :
On the made safe waiters, the safety programs are launched with periodic intervals by cron. These programs check the sizes of files or analyze the logs waiters. They can be also stored in the repertories adm or ~bin (for the sniffers)
Against:
Automated detections of programs spies installed (replaced sniffers, programs or Trojan horses) by the intruder
How:
To reach the parameters of cron.
The repertory by defect of the crontabs is /var/spool/cron/crontabs.
To check all the entries, especially the files “root” and to analyze the launched programs.
To make for example “crontab - L root”.
The programs of audit can be: tiger, cops, spi, tripwire, l5, binaudit, hobgoblin, s3,…
It is a question of knowing what they record and if they record… If they are active to record the files sniffers installed by the intruders, to make…
update of the data files of the program (to use the learning mode)
to modify the program…
To correct the results of the programmes of checking of sizes of files
These programs are very easy to write and thus difficult to identify in a target system.
For the most known here localizations by defect: (in general protected)
Program Localisation by Nom defect of éxé
tripwire /usr/adm/tcheck, /usr/local/adm/tcheck databases, tripwire
binaudit /usr/local/adm/audit auditscan
hobgoblin ~user/bin hobgoblin
raudit ~user/bin raudit.pl
l5 compiles directory l5
To modify controls:
- to modify the parameters not to control a file
to make “tripwire - update /bin/target” for example.
- to modify the list of the files to be controlled
In the event of replacement of a standard program, to use the order “touch” to modify the atime and mtime.ctime can be changed only by writing on the disc…
In the event of installation of a sniffer, crypter output data…
Regulate Survival 7: to know the system administrators
Who is root?
To find the 1 to 6 system administrators, to check the file .forward, entries of alias, sulog for root, groups “administration”, the file of the passwords.
To check the security measures of root
After being returned in their repertory, to check the files .history/.sh_history/.bash_history to find the usual orders, to check the files .profile/.login/.bash_profile to locate the aliases, to check that car-security checks or logging is not carried out, to check the repertories ~/bin with the research of the programs of audit (ls - alR ~/or ls - alH under HP UX)
0 comments:
Post a Comment