 This is the release of KISS, and hi, I'm Optex. So, I'm going to... No, it'll work, it just takes bigger font. It's not my laptop, so... Yeah, you can do bigger fonts if you don't want to. Let's do it all, I'll just... You have to exit on it. Okay, so I'm going to start by showing how to configure the client and the server. You actually configure the server with the client, so you go to Server, Options, Server Config, and you have to set a modulus and a remainder value and key one and key two, which act as passwords. And then you have to specify an install directory and the binary tetrogen. And I click Save. And you save this as a header file, so server.h, and then copy this over to the directory of... Well, I'll demonstrate that in a second. So, here I've already got the server.h copied over, and so I copy that to the KISS server source tree directory, and I do Make, and note the disclaimer. For educational purposes only. I'd like to make this clear, this is an educational tool. And it... Oh, wait. And it makes a binary called KISS. And then if I run that, then I go back over to my GUI and I do Options and Client Configuration. Here I can choose if I want to spoof the source of the packets, if I want to get results, and then you have to set the local IP and port. You have to set the local IP that you're sending the packets from. So if you're behind a NAT network, you'd specify the external IP of your NAT box. This is 60. And then I can save this as client.h, and you see it's bound to the socket so that I can receive results because I checked the Get Options box. The first option is Ping, and we specify the target here. It doesn't matter what port we fire the commands to because that is irrelevant to the protocol that KISS uses. So I can specify a random port, and then I can send a ping, and you see I get the ping response. Shutdown server obviously shuts down the server. Remove server removes it so that it restores the binary that it backdoored. And if you look at the binary that I backdoored, it hasn't been modified. It's on the same inode because it copies a backup and then redirects CIS calls for file statistics back over to the original file. So it looks unmodified. Yes, and whenever you do remove, it restores the original binary the way it was whenever you installed it. I'm going to skip over a few of these features and come back to them. List P hides. This lists all the hidden processes on the machine. I can hide processes. So here I have two shells logged in, or actually a lot. Can you exit out of those shells? So here I have three shells logged in, and currently I'm on TTY3, the PTS3, and I see the PID of the bash I'm running is 1152. So I go over to my GUI, I enter in 1152, hide process, and it says PID 152 hidden. So if I list processes in the terminal that's not hidden, I see 1152 is no longer listed for shells running. But inside the hidden process, I can still see it. From here it automatically hides any files, directories, network connections that I make and hidden processes. So if I tell that out to another host, you don't see the connection in the connection listing. LSOF won't pick it up either. Oh, LSOF is on. No, no, that's on my machine. This is all done at the kernel level, so that bypasses LSOF. Which? I'll case that. Actually, yes, and I'll get to that in a second. And so inside hidden processes, I make a directory, and I look in my non-hidden process, and I don't see it. And I can see it inside the hidden process. I can change directory to it. Inside a hidden process, I cannot change directory to it. It looks like it does not exist. You cannot stat these files. You cannot rename them outside of hidden processes. And another thing about the binary trojan, it redirects stuff like u-time to update the time on it, so you can touch the file, and it'll actually update the original that it's kept as backup. So it returns bad permission. That's an un-reversible way of detecting this, but you'd have to know the exact file name. But you can't really get around that. Inside a non-hidden shell, if you try and make a directory or a file that's hidden, what's the error message, or does it work for a user in a non-hidden shell? And... Okay, proof is in the butter. And you see that this file exists. You can return any error. It's configurable to... You just changed the error return value, so you can say e-perm. Any error you want, you can even have it say that it doesn't have enough pageable memory, and it confuses the hell out of people. I can unhide processes from the GUI. I can remotely start processes as hidden or unhidden. So if I do a hidden CP Etsy shadow to temp bob, it says it started the process as PID 1331, and I see it copied the file. Alright, so execution redirection. A common problem that a lot of hackers run into is if you modify binaries on disk, then if they're running a binary check somewhere like Tripwire, it'll catch that you've modified the binary. What this does is whenever you execute a program, it actually executes another program, but it's transparent to user space, so the program thinks that it's running out of the location that you specified to run. So if I do bin chaown to bin ps, I see that I got a process listing when I run chaown. So I can do this with SSHD and have it actually execute a Trojan to SSHD, and any file sum checker would not pick this up. Based off of the execvee strings. No, it's actually whenever it calls the execvee syscall, it sees the string bin chaown, and it redirects it to bin ps, but it doesn't modify argv, so the program thinks it's running as bin chaown. No, I've got a command line client. It's on my web page. I'll mention that in a bit. File system controls. I can hide files, list the hidden files, and there's two methods of hiding files. The one that it ships by default, it actually keeps an internal linked list so that there's nothing... it doesn't modify anything to do with the file, but a method that the TESO guys and a few other people use was is they change it to a UID, and if the file matched that UID, then it would hide it from directory listings. The problem with this is you can just pull through, change owning a file through all possible UIDs, and if it disappears, you know you've been owned, and that's a problem. Network control. You can hide, unhide network connections. If you specify just a port, it'll hide everything coming in from that port. If you specify an IP colon zero, it'll hide all connections from that machine. The plug-in interface. It has the capability to use kernel modules as plug-ins or user space binaries as kernel plug-ins. Inside hidden processes, you can exec VE, kernel functions. So let me demonstrate that. Well, here I'll show you the code for this first. So all this does is a standard exec VE of any arguments you pass in, and as the file name parameter, if you pass in a zero, it won't print anything. If it has return values, if you specify one, it'll print it out to the current TTY. So I specified one so that I can see what I'm doing, and I can do, say, hide file, temp, and it says temp hidden. And, yeah, so that's pretty self-explanatory. It's for Linux 2.2 and 2.4. This is very kernel-specific code because it is a kernel module, but you could easily port it over to other platforms because it's just concepts that you have to port over. And so I can load plug-ins, and I'll get back to the plug-in interface after I talk about the communication. So this all communicates without listening ports. The traffic can be spoofed both ways, and you can still get results, even if you spoof it. I can do a demonstration of that. And to the client, you can pass in parameters minus C, and then the client header file, and then minus S, and the server header file, so you don't have to go through the config again. Yeah, I guess I can't do that. Okay, so if I go back to my client config, I can select the spoof box and specify an IP. If I specify an IP of zero, it spoofed from a random source IP every time. If I specify a port of zero, it spoofed from a random port every time. An easy way to get through firewalls, since this is all loosely based on the UDP protocol, it's routed as UDP. You can spoof source port 53 in the IP of their name server and hop through a lot of firewalls. So I'll just do random. Yes, educational purposes. As in different levels of access to this. In times of port? Oh, no, I can specify any port. So I can specify nine. Yeah, so that's a good port number, I think. Okay, so I think this feature is broken under OpenBSD. I've only tested the client spoofing capabilities under Linux, but yeah. So the way the communication works is I came to the problem that a lot of other remote control agents, it's easy to tell if they're hooking the IP stack, because it increases the latency of the IP stack, and you can detect it with anti-sniffers. So what I did was whenever you set up the client or the server configuration, you specified a modulus value or remainder value in the two keys. What it does is when a packet comes in off the IP stack, it takes a modulus of the length of the packet, and if the remainder matches, it's a possible command packet. From there, it passes it on to SHA, so it takes the source IP, the destination IP, the destination port, and shared secret one, which is key one, sends that through SHA and XORs the packet with it, and the first part of the packet matches shared secret two, that it's a valid command packet. This means if you change the port you're firing it to, it completely changes the encryption key. If you change the source IP, it changes the encryption key. Yeah, so it can be signaturered. The traffic can't, that is. Yeah, when it generates the IP, when it's doing the encryption of the packets, it uses that IP that it randomly generated as. Excuse me? No, if you change the port that you're sending the command to, it'll... Oh, yes, yes. It would be the same encryption system. So what else? Okay, as far as the plugin capabilities go, you can just take and compile plugins that there's a plugin interface for the kernel that I wrote. It uses the standard module loading capabilities. You just have to define a few functions, and all this does is send you back what you specified as an argument. So I compile this. Okay, that's... Red Hat 7.0 decided to switch with beta builds of GCC, and so you get tons of assembler warnings because that was a poor move on their part. So what I can do to load plugins is I can either load them through the client, or if I want them to load at startup, I can just cat them to the back of the KISS server, and they'll load... It recursively loads anything you clip onto the back of it. And... And... Yeah. So... Yeah. Yeah! Okay, so... Well, there's some other options... Hey, hey, hey, hey! There's some other options I've got in here as well. There's... And by default, it ships this way, anti-security, which means anti-security modules. It can actively disable every kernel-based IDS I found without it knowing about it. And if you want to add new modules to the list, it's really easy, you just edit the KISS header file... or KISS C file. Let me look. So you just add a string compare. You can choose to either let it load and then disable it or just never let it load and not tell the user. Right now it actually disables Carbonite, the Linux Mac implementation, St. Michael and St. Jude in the Mod list. Yeah, it'll find it in memory and remove it. The same way it finds itself in memory and removes it. Oh, yeah, by the way, I didn't show this, if you do an LS mod, it doesn't show that KISS is loaded. And this is all done in the module itself as opposed to the way St. Michael does it by loading a secondary module which removes it from the list and that's very easily flagged. And once it's doing the initialization process is when I remove it. And if it's already loaded, it'll just find it in kernel space and unload it. And another options that it has, you can define elite GID and use GID-based hiding. This is the method I talked about before where you can easily find it if you just chain on a file over and over and over until finally the file disappears. What's another option I added? Oh, no, that's it. That's all I should put. There's other things in development. Yeah, there's other plugins in development and the plugin interface is very easy to learn and you don't have to deal with interrupts from user space. Currently, you could detect this version with KSTAT. I've got other code which will beat KSTAT. It's a plugin to this that may or may not be made public. Depending on the reaction of the security community to this. Actually, here's the funny thing. Here's the funny thing. About a year and a half ago, I wrote a completely in the kernel signed module loader so that you kept a signing tool and a key on another machine or floppy disk and you just signed all the modules into kernel space so that it would only load verified code into kernel space and I had 50 downloads in six months so I just took it off my website because apparently people weren't concerned with this even though it's a big problem. Yes, actually you would because you can't hide that on extended to or riser. I don't know about other file systems. Well, here's a way to detect it but it involves downing the machine. If you do a find and just map out your whole hard drive from root and then you shut the machine down boot off of another disk and then mount that drive not as root however and then map it out if you see any hidden files that weren't there before then that's probably where it's located and there's a nice backup of it kept there of your original file so you can restore it. Anything else? We've got a module which is on my web page a plugin for this that does that. If you're inside a hidden process and you throw the device into promiscuous mode it won't show that it's hidden or that it's in promiscuous mode but if you do it as an admin it will or is it a bullset? No, the client actually listens on a port it's standard UDP traffic. KISS also has anti-KISS capabilities so that you can use it as a... it's very easy if you just drop in plugins to make it a security product you can make it into whatever you want and it'd be great for the HoneyNet project for remotely managing machines. No, they'd have to know the modulus the remainder value in both shared secrets standard GTK this is OpenBSD but there's... I don't know why the raw sockets don't work on this right now I'm root and... My website is uberhacksor.net rr.net and then the download site is forward slash ks but there's a link to it off the main page quality HTML, I added my first picture Alright so that's it