 This meeting was held in exciting Las Vegas, Nevada, from July 9th, with the 11th, 19th. This is video table number 35. How to be aware of security problems on your network. Again, I'm one of the camera man, sometimes I move around a lot. I am kind of hyper. My name is Craig Rowland. I do run a website, oops, called Sinex Software, basically my own home page. It's really not a company. The website address is up there. That's my email address. If you need to contact me for any question, recipes, whatever. Just write me there. I'll be happy to get back to you. I'm generally pretty responsive. Sometimes things fall through. Like my filter somehow, raising the dead knoll. That doesn't happen too often. So give it a shot. Today, I'm going to talk about basic ways to detect an intruder. From my experience, I've done a lot of system auditing work as well as intrusion detection system. And actively right now, I do work on security auditing tool expert development. The easiest way to detect an intruder is awareness. It's just there three times because you need to really be aware of what your computers are telling you. In almost every case, there's going to be an indication of what that person is doing on your network. And there's always going to be some way that you can detect it. And specifically, you need to be aware and it matters so much because computers almost always tell you when there's a problem. As stealthy as you want to be, if someone's coming in and causing bizarre application errors, like for instance, you end up buying 495. It's been working great. One morning to AM, it cordons. You know, no reason whatsoever. It's never done that. You've had it up for over a year. What's the problem? Maybe you can look into it if we're trying to remote read overflow exploit. It's certainly going to tell you what's going on. System errors too. When someone's banging on your system, it's very hard to be quiet. And even though a data may not specifically say, oh wow, I'm being hacked, they may indicate other error messages that certainly show that there's going to be a problem. So for instance, if you do a standard port scan against RSH, it's going to say illegal connect or connect on an illegal port. And basically what that means is someone connected to your RSH data from a high ephemeral port number. And yeah, it may not necessarily be a hack, but it certainly points to the fact that they're probably doing some type of port scan on you. Other things too, users may notice an application isn't working right. Are they corrupted or missing files? Or somehow that some type of data that they thought they had entered is missing, or it's been corrupted, or it's returning incorrect values. And these are surely indicators that something's going on there. And a lot of problems you find on systems aren't caused by the computer system themselves. There's almost always some type of human behind it. And it may not be delivered. It could just be a user fouling up somewhere. But a lot of times it can also indicate that there's some intruder hanging around there. The second point there is that every interaction with the computer system causes a change in its state. I don't care how subtle it is. If you log into a box, you would change multiple items on that system that can be logged, audited, traced, and accounted on. This doesn't include just the basic stuff such as log files itself, but you have a process accounting records, a login accounting records. You have changes in maybe the swap file. You have changes in how much CPUs being used. And all these things can be looked at and monitored. And you can detect whether or not a problem is actually happening before it's become a really big issue. And the last thing here, and this is the thing that as an attacker, this is what they focus on. Attackers really are countering you not to notice their presence. This is why there's so much stealth and sneaking around involved when you're hacking the system itself. Even at the time of day that a hacker attacks a box is typically related for two things. One could be the insomnia, which is always present. But the second thing, too, is, you know, at 3AM, people really aren't watching the boxes too close. So really, their countering effect is you're not going to be aware that they're there. So the basic thing that I call a primary directed computer security is that under no circumstances will you do ever allow an intruder on the target host system you control. This is for a variety of reasons. The basic one is that once an intruder gets on your box, you're quickly losing how many options you have left to prevent their spread throughout the entire network. In fact, I spent a lot of money this weekend contacting an animation and design house. And I made three special slides just for DEFCON. It's very important because we're going to illustrate the exact thing that's going to happen if an intruder gets a single toehold on one of your systems. The first thing they're going to do, whoa, and I get all the way in the end and that's really bad. I'm an act! They're going to start doing that the evil hacker. And the first thing he's going to do, he's going to start calling through your network and he's just going to start breaking the sheets. He's got sniffers loaded up, he's got treasure horses fired, and he's going to have, he's going to have buy an enterprise, he's going to have social engineering users, he's going to be grabbing passwords, he's going to be going through your network and he's going to be pulling out no password accounts. He's going to be cracking the passwords once he pulls the passwords back to your system and he's just going to go on and on and on. Once he takes control of your network, and this is going to happen once they get on a single host, we've seen it lots of times, once they take control of your network there's only one possible thing left for them to do and how it would have shown us this time and time again. And that is in fact the hacking of the Wopper Supercomputer. And at this point, they're going to take over the military industrial complex in the United States which includes the jets, the helicopters, the tanks, the Viking slave ships and they will eventually take over the fleet of hot air balloons and they will take your tired, sleepless, ragdoll, cis-admin and they're going to fly him up to the highest altitude they can attain and they're going to throw his pathetic security remass over him. And as he's falling on the ground, he's going to realize something that because he allowed that person under the one network, he is in fact the total world domination of the hacker. As they spread from continent to continent, they're going to attack and attack and attack until finally the entire planet is overrun and there's nothing he can do about this. Now there are two basic reasons. There are two reasons. That's the end of my presentation. Thank you. Now there are two reasons I'm showing you this. Number one is to prove that Microsoft provides way too much clip art for a person like me to effectively use in a presentation. And point two is to illustrate the fact that once a person gets on your host, the amount of damage they can do by concealing their activities spreading from host to host and taking control of your network begins to approach infinity. And the amount of options you have left to control their spread through your network and clean up the situation rapidly approaches zero. So basically I have what I call four tiers of network security. The tier one you can see over by the brick wall there on the right-hand side. These are your classical security measures. These are your filters, your firewalls, centralized dial ends and also good network design and administration. This is really important. A bad network design from the beginning damages security so badly it's hard to put in the words. If you're going in for a network redesign, you make sure security is designed from the beginning. These are affected because they prevent the attacks from even beginning and that's really the best way to keep something from happening. It's like you have a house with an alarm system. Sure you have motion detectors but it's sure to be nice how bars on the windows they can't get in to begin with. And this is really, you need to make sure, this is a very strong part of your network security architecture although there are certain changes in the internet that are kind of destroying the whole concept of a hard perimeter. And it's because new services are emerging that don't necessarily much will help this. But in any event you should make sure that this is a key component of anything you do. Tier two, tools that promote network-wide awareness and protection. Network-based IDS, internal packet filters. So you have something, you have packet filter that splits up sales and R&D. There's no reason they should have absolute direct communication with each other. Centralized log file auditing. These are affected by detecting attacks but maybe they can't necessarily do anything about it. No IDS maybe could spot an attack and stop it but a log file auditing is maybe going to tell you that there's something going on but maybe that you need to look into it might not be able to take action directly out itself. Tier three, this is basically saying that someone is actively attacking your host and this is really the last phase in command and effective defense. This is your network-based IDS again, host-based IDS, your log file auditing on a per-host basis, wrappers, filters and other very centralized or distributed host-based security mechanisms that you may have deployed throughout your network. And again, this is the last available defense before your host is potentially compromised. Excuse me? Intrusion detection systems. Now the fourth tier is what I call a coffee tier because this is when you're going to be awake a lot. Pretty much your security is failed and I'm not saying that check sums and the like are bad I'm just saying that a check sum is telling you that someone has broken in your host and they changed something. And now you're at the point where you're going to really need to start looking at your backups and maybe start seeing if someone has gotten onto your network how bad the incursion has been and then try to start cleaning up the process you really don't want to get to this point. My tools that I've written are basically designed to work at like the tier level three or maybe two level four a little bit but basically my core premise is to keep people off the host to begin with under all circumstances. I really don't want to handle if a person gets on there's very little you can do. I have a tool in mind that may help a little bit with the tier four side of things but again it's kind of a little too late at that point. And here I am, I'm going to misapply Occam's Razor and I'm going to talk a little bit about Occam's Razor and the art of computer security. Occam's Razor is a, I guess, a philosophy or technique used in the scientific method and basically what it says is very simple when faced with two hypotheses I'd explain data equally well choose a simpler and you can use this for a variety of things but for computer security it applies very nicely. So for instance you have a system hacked the first thing we need to think of is how is it done and you should think how is an elite exploit that isn't out on the web yet or is it a common hole but perhaps I overlooked and the answer almost always is it's probably a common hole you overlooked so you need to look into that first and if you can't find an answer at that point then you really need to move on and say maybe this is something unknown and then escalate from there. So the basis of my tools is to use generic and simple detection methods first and always and the same thing should be done too when you're securing your network you should really watch for and fix common problems first when you're looking through your network like let's say you just spend 10k you buy a brand new security scanner and you've run it. Well you want to look at the easy things first because those are going to be the ones that other people are going to find so you have your exotic exploits which may be involved some type of very unique situation and sequence numbers or some type of exact buffer offset with a particular CPU type to have an execute or you look at the fact that you're exporting everything via NFS they've unpassworded accounts or with transit of trust all over the place someone can just call through your network using an RSH. You want to always fix the simple things first and likewise with security tools I'm kind of the same way that people are going to try to ease your things first and so that's really what I'm going to watch for and then I'll escalate if I have to. Now the tool is basically pretty simple log check has been around for about 5 years just as log file auditing is pretty basic in some ways it's kind of getting a little a little behind because I haven't updated some of the keyword databases in a year or two port sentry does port scan detection and host sentry does login and malware detection and that's my most recently sort of tool. Log check itself just watches log files it's really simple it's amazing how much information is gathered in the log files when someone's attacking you and the thing is you need to be able to look at the log files and determine what is and isn't a problem and if you don't know what is or isn't a problem then at least you have the information around to show someone else who may be able to pull that information out and log check basically is a clone of a tier as gauntlet script called our frequent check.sh this is probably from the older version of gauntlet I saw it a couple of times I liked how it operated it was pretty nice log check has three basic phases the first phase is it's going to report known hacking attempts so it's actually going to look through when I have keyword files set out with some of the verified root or expanding to something or trying to pass on the UED code et cetera et cetera and I know these are hacking attempts so I'm going to flag them like that the list isn't very long now because I really want to avoid false alarms there the second thing it looks for is reporting possible security problems and this is done through a variety of mechanisms number one I went through a whole bunch of daemons and I pulled out error messages that they dropped the sys log that are probably security problems of some type the second thing I did was I thought about how to offer writing security to represent something that's bad which basically means I pull out words that are negative such as denied or illegal or prohibited and I dropped all these words in the keyword list at all the last part here is something I really like from the original script from Gauntlet basically anything that didn't recognize as something to ignore it reports so if there's something going on that I haven't seen before in a daemon you're going to hear about it because I haven't told it to ignore and this is really nice especially a couple weeks ago I had a hard drive started flitzing out on me well I didn't know the driver was going to report a whole bunch of read errors and I might not have seen those in the logs but because it showed up as something not to ignore it immediately came up and I could look into the problem itself now here's some examples I have here this is very basic active system attack will just come up as that I have a lot of custom daemons that report information to me in one case here right after the I guess it was a name to you before I forgot which but someone's doing a bind version request all over the place just to come up and I'll just tell you that it's pretty simple the second one too security violations this is keyed on that word security alert that's some firewall toolkit did I kind of like that I'd make all my daemons do that as well a big problem with e-next in general is that the auditing pretty much stinks if you get into the trusted versions of the OS it's a lot better but the problem with the Linux and the BSD versions of that there's no real standard for an author to write to if there's a security problem so how do they represent a security problem in the law so really they make something up and they throw it in there and they hope that someone sees it sometimes it's a good message sometimes it's not it's one advantage that for instance NT has because out of the box you have different sets of logging for security system or application errors and that really helps go into your log files I hope you wonder that becomes more widespread under e-next and here's actually a full thing here we're here someone did a heavy scan I don't have the full thing because they're going for pages they did a heavy scan against a host that controlled here they tried to expanding route generally not not a good thing I found upon it they went down here unusual system events here they're hitting the packet filter and they're having a fun time there trying to hit Telnet IMAP and POP3 oh they did something else too that was interesting here you can see the color from the Telnet port going into Telnet port that's called source porting they tried a source porting attack they tried a source porting from FTP data port 20 and they also tried regular scans using high ephemeral ports what they're doing there is they're trying to hop my packet filter if you've ever tried to do packet filter rules it's complicated and especially if you have a lot of services going on and sometimes admins get things a little confused on how to let ports through so if you perform a port scan and you try to come from the same port as you're going to if they screwed up the packet filter rule you could sometimes punch through it because they set the connection up two ways so if you're doing port scanning you should probably try that if you're trying to protect against port scanning you make sure you don't do that there are some dangers with log check one is log flooding if you're on an ancient version of Syslog you need a port 514 open that's a UDP port a UDP port means that I can send whatever information I want and make it appear to come from anyone including your own host so if I just start random information into your log files I could fill up the log files or it could make your ports come out very long there's an additional danger too I don't think log check has this problem but there are other log file auditors that take action based on what's in that information if I were to file something in to your log file and like some properly placed semicolons for instance and you pipe that out to something like a pager script you hacked up I can start running commands in your host so you need to remember that log files are completely untrusted data source and you don't ever want to trust that data in the log files and you certainly don't want to pull that data out and do anything with it unattended unless you have thoroughly gone through and had something clean it up because people can really insert some stuff in there I haven't heard of anyone doing this yet but it's certainly within the realm of possibilities if you use a log check don't modify it it can make it run stuff based on that because you make it really bad false alarms are another problem too sometimes the way log check is I can't accommodate every system you're going to have to go through and tune it there's another way to put all the log file auditing tools in the same way pretty much port sentry this is a tool I wrote in October 97 I think after an evening I got frustrated because someone kept port scanning a box I couldn't fire all and it was an older OS that patches weren't readily available for so I decided just to give them something with the port scan and the way I used to do this is I'd set up tripwire ports using TCP wrappers out of INED but that's kind of that got me a little bit nervous because I wasn't using a tool specifically designed for that I just went ahead and I wrote something really fast they were binding a bunch of ports and when they hit it it would just drop them out or it would drop them into a filter basically do you all know what a port scan is? I may have to say well I'll explain anyway because someone doesn't want to admit it basically a port scan as a person is attempting to contact your host and see if you have a port open for a hold they could potentially exploit such as IMAP or port map or MtD etc etc etc and they do this as a recon mechanism so what you want to do is if you could detect this early enough you can actually stop it from gaining that reconnaissance information and then alert at the same time that someone's doing this and maybe it's a host you need to watch now there are lots of other tools out there to do this but port sentient really has something kind of I guess controversial is there any way to say it? I do real time blocking so if you hit a port and it's trip wired you're going to nearly get dropped into a bad route or a packet filter or TCP wrappers and your host is going to be actually denied access to the host itself now here I have the benefit of surprise if someone's scanning your host and all of a sudden it just dies it really isn't a good feeling and then sometimes what you just see them do is they'll actually go to a different host thinking that there's a bad route and they'll try coming from that host and they get dropped there and that'll be the real two hosts that are probably hacked and they're trying to get to your system on and at that point they may rise up and decide to move on but sometimes they may go to a third host and try their tool and then usually by then they get the clue that's kind of a nice thing to have and when you're in warfare especially if you read like The Art of War by Sun Tzu surprise is a very big factor in winning any battle you look back through history surprise has really been a key factor here they're really not expecting anything to happen they're expecting to get a banner back well you know don't give them a banner if anyone here doesn't play games with people this is merely a fun to the concept like a honeypot where you set up a system and kind of find out what they're trying to do it has its application I think for most people it doesn't because you keep them a person around I want to spot the problem and get rid of them you know go on to the neighbors I don't want to play with you I think this is generally a good idea for most people sometimes a honeypot can be interesting if you want to see the people are running most of the time I don't I think that most of what they're running or what you can download yourself and it usually isn't a good idea to egg them on you start playing games with people and they know I like to find out man this is a honeypot the whole time I just wasted three hours trying to crack this box you know maybe just decided to download a smurf program a 14 year old kid with a smurf program cause a bunch of problems for you it doesn't take much skill to do that so usually you just want to get rid of them third operation is pretty straightforward the first mode bound the TCP ports only and basically you go to list the ports it binds to them and waits for a full connection and then it drops the host it's really kind of straightforward people start writing me and saying wow really would be nice if it did UDP really would be nice if it did stall scans and then I kept saying well if you do that someone can forge a scan and then drop your host and now people started writing and I figured to put the option in give adequate warning and let them make up their own mind and that's kind of still my basis today I've gotten a lot of heat over this actually people think that you know all it's some type of great vulnerability and I know that but at the same time I think that people want to rate a risk it may not be a tremendous vulnerability for certain hosts and I think I could provide enough information in the documents that people can make up their mind what they want to do I don't want to make a decision for them as I said here TCP is really simple and effective it binds through a bunch of ports but it may miss some scans such as a port scan when I originally released the tool I actually mentioned the fact that a port scan I didn't think was a big deal a stealth port scan and the reason for this is because from my experience a lot of stealth port scanning is a precursor to an actual attack and when people are coming in doing a stealth port scan you should collect your data on a wide variety of hosts and then they're going to come back later and kind of find out whether or not that host is going to cough up any information so in this case here they're going to get a bunch of ports they're going to come back and then when they eventually come back and try an attack maybe by hand or maybe by some other automated script at that point they're probably going to get dropped and that might be a little bit worse yes UDP as in is a basically it's I'm trying to think of a it's a connectionless protocol but it's completely unauthenticated it's connectionless meaning that I can send a packet to the host it doesn't attempt a handshake of any type so at that point I can make the packet to be whatever I want and the host is just going to accept it and it really has no way of verifying it's coming from the host versus TCP you actually have a three-way handshake that's going to happen with a full sequence notice to protect the whole session as it's occurring and yes while in the past it has been possible to forge this with modern kernels it's extremely difficult to do the wall socket body mode basically works this is a stealth scan detection mode it only works on a Linux right now this is for the first cut is for expediency I have to admit Linux has this feature where I can open a wall socket and just start reading packets and off the wire I don't need a set in mischievous mode I don't need lip-peak or any other libraries on top of that it is more complex but it does catch most scans it certainly catches most of the end map scans but it does have a higher false and on possibility in fact the latest version of end map they put in a feature called a decoy feature and I'm not sure what causes to be put in although I highly suspect it was a release of this tool but basically a decoy feature you give it some decoy some decoy hose and as it's scanning you it also hits you with these fake hose it attempts to trip sentry to block all these hose at the same time it's kind of I haven't had any complaints of people using that directed towards me if you've been hit by it I'd love to hear about it but I haven't heard one person yet it's not on other platforms yet because it's going to require a lot more code a lot more investigation and certainly it's going to be a lot more complicated as I've said I think it's going to use more CPU power on the other systems probably have to do promiscuous mode on her face and it's just going to require a lot more time which I don't have right now if I want to get these other tools done too now Black's host in three ways dropping them out TCP wrappers or packet filters packet filters are the best built they're designed for the task and they work really well all the modern units kernels out there have some type of packet filter capability built in you should really use that TCP wrappers work but they don't protect all services if you have HTTP for instance it's not wrapped it's a liberal app you're not going to get any protection from TCP wrappers and other services like that too top one here change the default route the default route is 333-444-555-666 you have not a valid IPv4 address so you need to change that some people on news groups are saying just leave it alone that's incorrect you want to change that the problem dropping around is that you cause something called an asynchronous route meaning the packets come in but they don't go out and it sounds like basically what this means for TCP it's okay because that way the handshake doesn't complete the first send packet comes in the send act doesn't go back out and gets the host UDP this is not okay if they're trying to port scan your host or they have a particular service they want to attack you can do blind spoofing with UDP you don't need to get the packets back if you already know how the protocol's going to behave you can still abuse it so this is really not the optimal way to do this it does work it's not optimal if they're attacking their UDP based service they can't do it blind and not have any real issues yes if they're doing a port scan they're expecting an ICMP portal reachable or some other indicator but let's say that they do a port scan and they don't get anything back but they decide to run their UDP attack script and the UDP attack script doesn't really care if it gets anything back it just wants to do a blind spoof and if it's doing a blind spoof then you're going to get hammered dropping the route is not going to help you there it's an asynchronous route but packets still do hit your kernel they're just not making a back out so you need to be really careful deployments times are pretty simple compile, configure start one of the options for TCP and one of the options for UDP if you want to do that the only one I endorse and I say this multiple times in the doc is dash TCP it just does a bind to all the ports it requires a full connect for a detected port scan this is going to be very hard for some of the spoof against that's the only one I endorse if you want to do the other ones you need to weigh the risks most of the time the risk probably won't affect you but if you're running a high visibility server or you like egging people on it's probably going to bite you sooner or later and then you automate it in your init scripts and then you kind of leave it alone and that's another premise of my tool is I like to have them be simple to set up and you kind of leave them at that point you just don't need to touch them anymore you just kind of let them do their job here's some examples here someone's coming in example.com they hit port 143 here port sentry just tells you okay I'm going to put them in TCP wrappers with that I'm going to block them and then it's going to drop them here using a packet filtering command at that point later on you're going to see here here's what happened it started in 1906 and then they went down here and they just kept trying and you know sometimes people will sit there for hours and it's probably your scripts are timing out correctly in fact I'm sure but there's one out there I know I don't want to say it I don't want the bug fix it doesn't time out it'll just keep sitting there it's sitting there it's sitting there and also too it'll come back days later and try to connect again so I leave them in there for a while I call it the penalty box so they'll sit in there for a while they will come back actually and retry again and like I said sometimes they'll come from multiple hosts and this is really advantageous because now they're like it's sometimes those hosts may be when you control it's kind of nice to know that dangers again I hit on denial of service if someone is forging stuff forging packets they can cause a stuff and even P-Modes activate it's not hard to do a second point here is over reliance sometimes you figure you have these tools installed well I'll just wait until I update don't do that it's not a substitute it's source of argument security doesn't work place basic administrative tasks and lastly it may be an unnecessary application if you have a firewall that's already secure don't run another app on it if you don't have to even if it is a security app like I said there's a possibility I could have screwed up similar there could be some type of remote attack available you just don't want to expose yourself in that way if your host doesn't absolutely need it you may not just say well I don't care if they port scam me I have a firewall I don't run it on it I just say okay I don't care and sometimes that's the choice sometimes it's not you're going to have to weigh it on a case-by-case basis host century is something to release definitely not as popular as port century tools it does something called log-in anomaly detection and what log-in anomaly detection does is basically it's going to watch user login activity and this came out of a situation about three or four years ago I was helping out with security and ISP and one morning the admins noticed a very high CPU on a host out on the west coast and at this point he logged in and found out that basically I had a sniff on a crack running out at the same time so we went in there to figure out what was going on and basically what happened is a user had their password sniffed it happens all the time in fact it's very quite pathetic a colleague of mine went on a rant before about the fact that when protocols are presented as a form of an RFC they really need to go through security audit but if they can't pass it they really shouldn't be approved there's no reason why some of the more modern protocols like POP and IMAP pass unencrypted passwords over the wire it's kind of ridiculous in this case this user had his password sniffed by using POP coming out of a university that had people all over it and the person logged in from a European country and kind of went to town on the server this is very common some of you may have had the exact same thing happen to you it's very hard to defend against if this person hadn't fired up a sniffer and a crack program you may not have spotted them just because they're logging in as a normal user so it's important I think to watch some of this it is kind of big brother-esque but sometimes you need that for a sysadmin if you want to maintain security what Host Century does is it basically monitors W-Temp and U-Temp or similar autodame data for that right now this is alpha grade software it's only monitoring the W-Temp U-Temp files and it maintains two database one is a TTY state database and this keeps track of the current logins and logouts occurring on the host and this is for a variety of reasons one is so Log Century knows who's logging out of course the other is to help track it between reboots and whatnot to make sure that its own internal records are being cleaned up correctly the second one is a user database and a user database as soon as you log in you're immediately going to get a user record that user record is going to have your user name it's going to have when you were created it's going to have your first log in which included not only the time you logged in but where you logged in from and what TTY and it's also going to have a large field called track logins and what this does is it keeps track of all your logins including where you logged in from again your TTY, your login and your logout times it's also going to have whether or not you allowed the login at that hour whether or not you're allowed to log in at that day whether or not your account's been disabled by the admin or it's been disabled by the host century program itself and as you're logging in the login hour host century runs modular signatures as required now there's several indicators that host century actually attempts to spot the moment the abstracts are not fully implemented yet again this is experimental development software basic order are log in and log out not too high tech except that again across the next platforms the way these are logged is not consistent sometimes if you're trying to track this stuff it could be a real big pain second one oblong in times after you've logged in a certain number of times the tool has the ability to look at your past login and develop a profile of what's going on in this case for this signature it's um it will look at your past logins and develop like an average time window so if you don't if you're logged in between 8 and 5 there's no reason you should be logged in at 2am so that's what it's going to look for first time logins that's a really big deal I know it sounds kind of silly if you run a if you run a Unix host and people don't need a shell account or shell access please don't give it to them because once the shell access is the biggest security problem with Unix by far the fact that it allows you to have interactive access for a first time login if you have a person who's only doing pop and that's all they need to do you know, see the secretary Johnny account whoever it is and then you see that they can log in for the first time and they don't even know how to type whether they know how to use Unix you really need to look into that because it's a very suspicious activity four domains are putting quotes basically this is a domain that you don't control so if you're running you know example.com and someone's coming in from haxer.com you probably want to find out why they are at the same time you know if you're a domain in Germany and someone's logging in from Malaysia again another very suspicious activity you need to look for an usual username inserted there's another one too this is kind of a strange one but basically I know what user names are supposed to be in the password list and if another one person logs in with a username I'm not familiar with an attack and the reason for this a recent expert like I think it was a stat d overflow a lot of them insert a line at the bottom of the password file like root or hack or whatever and at this point they will tell that in it has a null password on or some password they already know about so they log in and they jump into a shell and they have root access immediately well with this type of signature in there when they log in how sent you look them up and say they're not going to use your database I'm familiar with so that's another way to maybe do a little bit of CYA strange file modifications plus an R host or other oddball things you'd be able to work for with the two strange directories when they log out how sent you look through the directory dot dot dot dot dot space the other oddball names that people use to hide things in things to look for history file tampering when you're logging out it's going to make sure your history file is there it's going to look you up in the password list it's going to check what shell you have what shell it's going to see if that history file is truncated deleted or linked to dead and all all very suspicious activities multiple concurrent logins it's probably not what you think basically if someone's logged in they have 5x terms opened from a single host not a big deal but that same person is logged in five times and they're logged in from Sweden Malaysia China Jamaica and Haiti you really need to look at that because they're suspicious activity invalid U-Temp entry when you log out host entry we'll look through and see if you have a matching U-Temp log in record maybe you've been zapped out suspicious history commands running network game and they egg drop running when you log out yeah a lot of you probably want to know that I don't like that program running on systems like control but I think that's suspicious activity too if your policy prevents networked payments that you use your account some people do a lot file exists you can put in a name of a file you want to look for if it's in the directory it'll flag you inactive account used if an account a lot of times people will create accounts like a corporation and maybe they get logged in two once just to test right but then they're not used again but they have to stay there for various policy reasons or maybe email access or whatever well if that account is used for a login six months later you should know about the data base entry and again the one the asterisk I apologize I haven't done yet they will be soon it will flag that and say you know this is an inactive account it's gonna become active again maybe you want to look at this some examples here sorry for the verbosity the security lord here I am I'm logging in here's my TTY here's some hoes and here it goes first time log and I didn't have a database entry it's gonna tell you about that and here it's says our form domain user calling from some host or somehost.com as the case may be at that point it will then go through and do what it needs and here you go I have a log out and just saying that I'm logging out I come back at log in again let's say I modify the form domain to say allow some host to come in well next time I log in I'm just logging and log out it's pretty basic no signatures fired it's a little test user test user logged in here well and our host he dropped a plus plus in so it takes some action against that further furthermore they have an odd domain here they have what dot dot dot not a good directory to have in your user space unless they really like having confusing directory names if someone's name and directory like that pretty suspicious I think further down here you have a modern history truncated and it says here that's a symbolic link to bash history again not a good thing if someone's linking the dev if someone's linking the dev null they're hiding their activity a lot of history files only write their data for the current session after they log out so if you just remove a file like a lot of people think they're slick they remove a file they think their history is clean and they log out but the Michelle last thing the shell does is it writes out the history file so they think that they've got a way but they really haven't so the smarter people generally try to link at the dev null one thing someone does is kind of interesting our history files for the users I forgot his name I'm sorry but he does a pend only mode all his users history files using the using the secure level flags and that could be something useful for you database record here I'm going to dump the database here and here's what's in the user database created the first time log in here my log is only up to you can see what's going on these stamps here log in days and hours aren't implemented yet whether it's disabled these are just flags and a total number of logins this database will track all the users on your system and eventually I'm going to have tools written up that can actually crawl through this entire thing and design pretty little web pages so you can actually track all this stuff and what users are doing way unaware again dangerous W-temp and E-temp again getting back to Unix really not they've been around for decades but they're really just not very good there's a possibility people can tamper with it I'm assuming that root is not compromised on the host when these tools are running it's obvious that if root is compromised that people can really do whatever they want to anything including my own tools so it's possible that they could somehow tamper with the ability to write out that they're even logging in and I may miss it additionally if it's a service that's allowing to log in to W-temp I may miss that too so that's another possibility the UTEM records are all different from BSD, Linux, and Solaris Linux and Solaris are okay because their host record size is large enough it's 255 bytes that means if your host name is 255 bytes or below I'm going to see the entire thing Linux goes a step forward because it also includes the IP address really any auto record you always include the IP address because DNS entries are so easy to screw around with that they really the problem with BSD is the UT host size and the UTEM struct is either 16 or 32 bytes long so if you come in from a host and really, really, really, really, really, really, really, really long hosting.com it's going to truncate it down to 16 or 32 bytes and the records themselves may not be as complete as you'd like in the case of host century since I'm relying on that information to be there to make certain comparisons with foreign domains and whatnot you make it an accurate results back if we just compromise the last thing is I consider like a last line of defense it does not replace good security measures such as protecting the passwords if you use the services like POP and IMAP you just need to make sure you take other measures too that are a little bit more robust closing thoughts are pretty straightforward a little bit of pain attention to your systems are almost always going to tell you there's a problem I can't under I can't exaggerate that enough you need to be aware of other activity on your network too such as increased network traffic at certain hours to days maybe network devices that aren't functional as they should maybe a password all of a sudden doesn't work the way it used to and nobody on your team has changed it all these things are just a little subtle indicators there's a problem the last thing using bug track and other security forms is a very great way to stay informed of the latest problems and Q&A links I'm going to put two there one is for my web page has the papers and tools there one is a security focus on the website they had a lot of free tools and security papers really well organized I would put up I know I would put up packet storm security but there's a certain individual on the map who likes causing problems for people and I'm not sure the state of the site right now it's unfortunate it's a very nice site questions comments yes oh yes I'm sorry I have presentations I do I always put them up on the web this will be up on the web when I get back comments thank you to both my thoughts it's great you can keep talking about everything that's all you're doing but you definitely have to do other things yeah you guys have a question yeah I agree I like to make tools that kind of can last for a long time for that reason it does it takes a lot of work to write software it's all in my spare time um I try to do at least a few hours a week sometimes I do four to eight hours a day if I can but of of late it's actually been less than a couple hours a week and that's just for a variety of circumstances related to work my real work okay okay okay okay okay okay okay okay okay okay so ideally they hit the first port like what I'll do with if you're doing the basic TCP binding I always have it bind like a few of the low ports first they're doing like a sequential scan they hit those first and by the time they get up to you know a higher port they've already been dropped if you're on a like a fast new format with Nmap it may be able to hit quite a few ports for they could drop because the machines are reacting fast enough and they just spray a bunch of packets one made in two ports and then by that time they're dropped and you just kind of vanish oh my god I'm sorry I'm sorry yes yep well if someone is forging packets to complete your port scan are you asking are they forging packets to cause a denial service yeah that's a possibility I mean that's just it's something you need to deal with if you're doing still scan detection and again it depends how high profile of a target are you how sophisticated an attack are you expecting to come in this is assuming to you that they actually know you're running the tool you know you never want to really go out and tell everyone what your internal security measures are I mean sometimes as much as people like to rag on security through obscurity it actually really does have its place so if they know you're running the tool which I think it's very foolish for you to go out and tell people what your internal security measures are again yeah they could do that but are they because what's the purpose of their attack are they trying to gain access to your host or are they trying to so you need to ask that question if someone's playing games with you and you run the dash TCP mode which probably is a full connect it won't matter because they're not going to get any data back that's going to cause the port scan detection the fire they're just going to get back oh maybe some open port they're going to have to go back and do a full TCP connect to it and then they're going to shut out at that point if they're interested in looking at that port yes yes yes yeah typically you know if they're trying well there are variations I know this now there have been port scan detectors written before they require several ports hidden at once but notice there's a change in the trend like a new expert comes out you know IMAP you're not going to scan my entire bot IMAP in this house IMAP in this house IMAP in this house IMAP in this house so sometimes you need to just activate on that one port so sometimes it may not hit a series of ports you need to be ready to respond like the one actual attack anyone yes I like I said I've seen scripts before that you need to be on the subnet where you think the sniffer is and the scripts will again try to connect to some host and then see whether or not another host in that immediate subnet has done a DNS look up on that IP and at that point you can maybe pinpoint what it is but if the sniffer is not doing resolving on the IP addresses which all the newer ones don't do catch it and there was like I said there were some other tools that I think the SNI people were playing with that would do timing check for timing against it the the way you could do is go to each host and you could check for promiscuous is on but then they can hack that so it looks like it's off if they group kiddager if config but there are other utilities available that you can compile on a secure box and bring on that system and run them and maybe tell you whether or not that things in promiscuous mode another indicator too is just a very high CPU utilization and odd process name again they could have went in you could have p.s. command or anything else but if you bring on a secure set of tools you can sometimes spot it that way high cp is pretty good indicator yeah did the loft release your tool yet? yeah okay yeah I haven't I haven't seen it yet I really am interested in looking at it sounds what I need the loft the loft is releasing a tool called anti sniff which may be able to help so much you're talking about I'm sorry I don't have more information I like to look at myself it sounds very useful we're checking I think cert had one cert had a one or two at their website that can detect promiscuous mode of course it can if it can fit in the box that'll tell you it's promiscuous but again if they've gone in there and changed that or if they've done some kind of loadable current module or something obscure that fact you might have a real problem yes I was different someone did it right there is no way to tell if it's expecting to work yeah that gets that gets into religious war one of the huge ways to do it yourself was entirely listening and never putting into a space set for the mind it's you know I agree I mean if someone puts up a promiscuous mode card that has no addresses or network protocols down to it it could probably be a real problem but yeah anyone else good