Covering Tracks and Hiding in the Internetwork Security | ECE 4112, Lab Reports of Electrical and Electronics Engineering

Download Covering Tracks and Hiding in the Internetwork Security | ECE 4112 and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity! ECE 4112 Internetwork Security Lab: Covering Tracks and Hiding Group Number: _______________ Member Names: ________________________ ________________________ Date Assigned: Date Due: Last Edited: 12/5/2020 Lab Authored By: Group 33 (Fall 2005) Ecleamus Ricks, Jr. (gtg420s) Lee Lewis, Jr. (gtg937y) Goal This lab will address the methods and defenses for attackers attempting to cover up their malicious operations. Summary In this laboratory you will examine how attackers can hide evidence of their presence by altering and/or deleting event logs. You will also learn how attackers can easily hide and disguise files from system administrators. This laboratory also examines a steganography tool which allows data to be hidden in local files (i.e. image files). Equipment Windows XP virtual machine Red Hat 7.2 virtual machine Background/Theory Many attackers enjoy publicizing their successful exploits for various reasons including: to boast to friends or embarrass their victims. However, there are far more attackers that prefer to keep their activities as discrete as possible in order to maintain long term access as well to stockpile resources for later use. In order to keep system, network, and security administrators from detecting their presence, attackers alter the event logs to remove records associated with their activities as well as hide and disguise files that hold malicious code or stolen data. Most UNIX system log files are written in standard ASCII and require root privileges for modification. Since the logging methods vary with the different UNIX versions, it is difficult to have a standard log editing scripts that will work on all varieties. The utility syslogd reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file. Outside of the log files, the main accounting files in UNIX are the utmp, wtmp, and lastlog files which are written with a special 1 binary format. These files cannot be edited directly using a standard editor. An additional type of accounting/logging of particular concern to attackers is individual users’ shell history files. The shell history stores a complete list of all commands entered by the user into the command line. Shell history files are written in plain ASCII as well and can easily edited in a text editor. Windows runs an event logging service called EventLog to track all of the activity that takes place while a user is logged onto the computer. The Event Viewer utility allows the user to view the log files produced by EventLog since they cannot be opened with a standard text editor. The Event Viewer separates the log into three separate categories: Application, Security, and System. All the information associated with these categories are sent to three files: APPEVENT.EVT, SECEVENT.EVT, and SYSEVENT.EVT. SECEVENT.EVT stores security-related events, including failed login attempts and attempts to access files without proper permissions. SYSEVENT.EVT stores events associated with the system's functioning, including the failure of a driver or the inability of a service to start. The APPEVENT.EVT file stores events associated with applications such as databases, Web servers, or user applications. Steganography enables you to use digital data hiding techniques (steganography) to hide and encrypt files within other files (carriers) such as picture or sound files. This allows you to encrypt sensitive information, while at the same time hiding it in a file that will not look suspicious, so nobody even knows that there is any encrypted information. The carrier files are fully functional and identical to the original files (except for size),so if data was hidden in a picture file, the picture can still be viewed normally. Lab Scenario We will be navigating through the log and accounting files on both Windows XP and Red Hat systems as well as utilize a stenagography tool that enables data to be masked behind another file type. The Red Hat 7.2 virtual machine will be used to examine the UNIX- based operating system and the Windows XP virtual machine will be used to examine the Windows-based operating system. 1 Altering/Deleting Event Logs UNIX As mentioned earlier, most UNIX systems’ log files are written in standard ASCII and require root privileges for modification. Since a missing or empty log file would set off a flag to administrators, skilled attackers would use their preferred text editor to remove the messages that might reveal their presence (assuming the attacker has root privileges to the system) instead of just deleting the log files. The location of the log files can be found in the syslogd configuration in /etc/syslog.conf. On the Red Hat 7.2 virtual machine, use a standard text editor of your choice to open syslog.conf. Q1.1 List the name and location for all the log files included in the syslog.conf. 2 users and system administrators. Now run the ls command again but this time include the –a option. # ls –a Q2.2 What file names were omitted in Q2.1? An even subtler technique involves naming files or directories with a period followed by one or more spaces. Type the following commands. # mkdir “. “ # ls –a Most administrators would overlook the directory we just created since it resembles one of the two standard directories: “.” and “..” that indicate the current directory and parent directory, respectively. Q2.3 How can you detect this type of camouflaging? Windows The method for hiding files on Windows systems is much more direct. Copy from this lab folder on the NAS, the directory named HiddenFilesXP to your Windows virtual machine. Open the folder. Q2.4 List the file names visible in this folder. To hide the file dummyfile1: 1. Right-click the file name. 2. Select Properties 3. Select the option to make the file hidden (see Figure 1) Discovering these files with the hidden attribute can be just as easy. 1. Choose ‘Folder Options’ from the ‘Tools’ toolbar 2. Select the ‘View’ tab 3. Make sure the ‘Show hidden files and folders’ option is chosen (see Figure 2) *Note: If this option was already chosen, Q2.4 will include the hidden files as well. 5 Figure 1. File properties to change view type Figure 2. Folder options to display hidden files 3 Steganography This part of the lab will use the Steganography 1.6.5 program to demonstrate how easy it is to hide data in another file. A trial version of this software can be downloaded for free at http://www.securekit.com/. This program gives you the option to hide a small text message or one or more files that you select inside another file. It uses 256-bit encryption, advanced compression and you can specify a password to extract the hidden files (see Figure 3). Figure 3. Steganography 1.6.5 interface 6 Copy the setup file from this lab’s folder on the NAS to the Windows virtual machine. Run the setup with the default settings (just press next and ok to any prompts) Run Steganography by double-clicking the icon on the desktop. Copy the buzz.gif image file from the NAS to your virtual machine and use it to disguise a message or text file: 1. Click on the folder icon under the HIDE heading, next to Step 1. 2. Browse for the buzz.gif (This image will be your carrier file) 3. Click ‘Add’ under Step 2. 4. Select the ‘New Message’ option. 5. Name your message. 6. Type in a sentence of your choice in the text box. 7. Name the new file. 8. Provide a password and click ‘Hide’. 9. Close the tool. Q3.1 Compare the two images, before and after performing steganography. How can you tell that one of the images has been altered? Now the attacker could replace this image on your website in order to send messages to other persons who know the password without you even knowing. 1. Open up the tool. 2. Click the folder on the UNHIDE side. 3. Browse for your carrier file. 4. Enter your password. 5. Click Unhide. Q3.2 List some ways (at least two) one can defend against steganographic abuse of files. References [1] Skoudis, Ed. Counter Hack. Prentice Hall, 2002. 7 3 Steganography Q3.1 Compare the two images, before and after performing steganography. How can you tell that one of the images has been altered? Q3.2 List some ways (at least two) one can defend against steganographic abuse of files. How long did it take you to complete this lab? Was it an appropriate length lab? What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must 10 start with the title “Lab Addition”, your addition subject title, and must start with a paragraph explaining at a high level what new concept may be learned by adding this to the existing laboratory assignment. After this introductory paragraph, add the details of your lab addition. Turn-in Checklist 11