Security

vulnerabilities
and penetration
testing
Dr Phillip James
Where are we? Reconnaissance Scanning

Covering our tracks

Gaining Access Maintaining Access

Covering Tracks Report

(optional)
Covering tracks
 “Covering Tracks” is the final technical stage of a
Covering penetration test as a process.

Aim: Erase any digital traces left by the pen tester

during the earlier stages of the test.

These digital traces, show a pen tester’s presence

in the targeted computer system.

Many people see this as hacking…

but if agreed in the terms, it can provide insights
into a companies reactions strategy.
Detection Detection can be split:
areas • prevention of real-time detection (Anti-Incident
Response).

• prevention of digital evidence collection during a post

factum inquiry (Anti-Forensics).

Often, Anti-incident response simply involves real-time

confusion. Whereas Anti Forensics often depends traces and
time.
Anti incident Confuse/hide from whoever is watching!

response
Rootkits are good, especially kernel level:

• Hiding from running process lists – ps, top,

windows process list.

• Hiding network connections from view of

common tools – netstat.
 • Maintain a wide variety of malware on the network
-> Unique malware instances per host, or low population
Example:
confusion • Deploy multiple inactive backdoors
-> Never touch these systems

• Create a trail of activity at a faster pace than it takes to

investigate.
-> Dump random files everywhere! You will be seen!

• Chose busy servers

-> Event logs cycle within minutes to hours
-> Network activity not out of place

• Chose file servers as a data staging areas

-> Hard to spot files and slow to do so.
 Invoke a standard library call to access web traffic.

Example: On Windows:
hiding network Use the Internet Explorer COM object to communicate via
HTTP through the IEXPLORE process.

In code:

API function that calls IE COM object.

 “Delete, change or conceal digital evidence, with the ultimate
goal being the manipulation, destruction or erasure of digital
evidence”
Anti forensics
By utilizing specific forensic tools, a forensic expert can
outsmart almost all clean-up programs.

Example:
How do you delete a picture on windows?
a thumbnail of this picture should still exist in:
%userprofile%\AppData\Local\Microsoft\Windows\Explorer

Even if the thumbnail has been removed, forensic examiners

could attempt to restore it via file carving.
Example: Packers
hiding Compress the executable file into compressed data using an
algorithm changing its signature etc. The compressed data
executables and the decompression code is created into one executable.
When the binary is run, the decompression code recreates
Like steganography, but not. the original code from the compressed code before executing
it on the fly.

Binders
Combine malicious code with another binary to create a new
binary. The signature of the malicious code is modified.

Also: NTFS – alternate data streams (Demo later)

 Forensic analysts will look for recently changed files.

Example: updated when you open a file or when a file is used for other
timestamps access
operations like grep, cat, head and so on.
updated when you whenever update content of a file or save a
modify
stat that file.
file.
updated when the file attributes are changed, like changing the
change
owner, but will also be updated when you modify a file.

Example: Changed modified date (makes no sense):

 Log files check health and state of OS/services, to log,
amongst other things, malicious activity.
Example: log
tampering Example: SSH attempts (Uni machine):

Log file locations:

• Windows: Event viewer
• Linux: /var/log
• MacOS: /Library/Logs
Note : manipulation of log files requires root privileges.
Tools and
techniques
Only the simple ones, many are very technical and need more than one lecture!
 Alternate data streams are part of NTFS.
Alternate data
They do not show up with standard command like dir/ls etc. In
streams fact you need to know their exact name!

Examaple:
stuff.txt > hiddenstuff.txt:malicious.txt

That's it.

Created an ADS named malicious.txt, transferred the contents

of stuff.txt to malicious.txt, and attached it to hiddenstuff.txt.

Can be viewed by referring to name:

notepad hiddenstuff.txt:malicious.txt
 Timestomp is a Meterpreter plug-in that allows you
to modify, erase, or set certain attributes on files.
Timestomp
 A simple way of changing file access and modifies times.

Change the access time of a file to current system clock:

Touch touch -a file.txt

Change the modified time…

touch -m file.txt

Specify times:
touch -t [[CC]YY]MMDDhhmm[.SS] file.txt

• CC – Specifies the first two digits of the year

• YY – Specifies the last two digits of the year.
• MM – Specifies the month
• DD – Specifies the date
• hh – Specifies the hour
• mm – Specifies the minute
• SS – Specifies the seconds
 meterpreter > clearev
The clearev command will clear the Application, System,
Clearing logs and Security logs on a Windows system.

Brutal, but who checks?

clearlogs.exe –sec
Simple program to do the same as above.
Don't forget to remove clearlogs.exe!

Linux rm –rf!
Easy right?
…but do you really want to delete everything?
 Shell command history is stored in ~/.bash_history

Don’t log my The size of our history file is determined by the environment
shell (*nix) variable HISTSIZE.

Example:

We could then set it to zero by typing:

export HISTSIZE=0
Sets stored history length to 0 on current shell.

Note: This does not remove previous history! Handy!

Erasing
command
history (*nix)
The shred command with the -zu switches will overwrite the
history with zeros and delete the file:

shred -zu .bash_history

Shred is very useful in general!

 • Anti incident response:
Summary • hiding,
• confusion.
• Anti forensics:
Noun: a brief statement or account • Hiding executables/files,
of the main points of something.
• Timestamps,
• Log tampering.

Lab: Hiding.

Next week: The final phase, plus legalities.