1 1 00:00:00,504 --> 00:00:02,427 line:15% Covering your tracks and installing backdoors, 2 2 00:00:02,427 --> 00:00:05,371 also known as digging in deep. 3 3 00:00:05,371 --> 00:00:07,320 So at this point we've performed our reconnaissance. 4 4 00:00:07,320 --> 00:00:08,678 We've scanned and enumerated. 5 5 00:00:08,678 --> 00:00:09,884 We've gained our access. 6 6 00:00:09,884 --> 00:00:11,237 We've escalated our privileges. 7 7 00:00:11,237 --> 00:00:13,197 We've maintained our access, and moved laterally, 8 8 00:00:13,197 --> 00:00:16,121 and now we want to make sure we're in here for the long haul 9 9 00:00:16,121 --> 00:00:18,008 How do we make sure we don't get caught? 10 10 00:00:18,008 --> 00:00:19,921 Well, this is where we have to cover our tracks 11 11 00:00:19,921 --> 00:00:22,781 and place some backdoors. 12 12 00:00:22,781 --> 00:00:24,124 So what does that really mean? 13 13 00:00:24,124 --> 00:00:25,996 Well, covering our tracks and installing backdoors 14 14 00:00:25,996 --> 00:00:27,392 means we're gonna erase the evidence. 15 15 00:00:27,392 --> 00:00:28,743 We're gonna modify the evidence. 16 16 00:00:28,743 --> 00:00:30,007 We're gonna disable logging. 17 17 00:00:30,007 --> 00:00:31,482 We can clear log files. 18 18 00:00:31,482 --> 00:00:33,165 We can hide log files and folders. 19 19 00:00:33,165 --> 00:00:34,874 We can install rootkits and backdoors, 20 20 00:00:34,874 --> 00:00:36,896 and we can even set up call back times, 21 21 00:00:36,896 --> 00:00:39,699 so the machines call us back at certain times of the day, 22 22 00:00:39,699 --> 00:00:41,549 instead of maintaining a persistent connection, 23 23 00:00:41,549 --> 00:00:42,684 all of the time. 24 24 00:00:42,684 --> 00:00:46,040 These are all different ways for us to cover our tracks. 25 25 00:00:46,040 --> 00:00:48,014 So, let's talk about erasing the evidence. 26 26 00:00:48,014 --> 00:00:49,066 The first thing you want to do, 27 27 00:00:49,066 --> 00:00:51,601 is you want to erase any temporary files. 28 28 00:00:51,601 --> 00:00:53,157 These would include log files, 29 29 00:00:53,157 --> 00:00:55,214 or any droppers that you've put on the system. 30 30 00:00:55,214 --> 00:00:57,201 So if I've put on a stage one malware, 31 31 00:00:57,201 --> 00:00:58,051 then I want to delete it, 32 32 00:00:58,051 --> 00:00:59,366 because now that I've got stage two, 33 33 00:00:59,366 --> 00:01:01,236 I don't need stage one anymore. 34 34 00:01:01,236 --> 00:01:03,692 If I went into the Windows temporary directory, 35 35 00:01:03,692 --> 00:01:05,660 and that's where I've been putting my log files, 36 36 00:01:05,660 --> 00:01:07,178 and gathering my information at, 37 37 00:01:07,178 --> 00:01:08,476 I want to download that information, 38 38 00:01:08,476 --> 00:01:09,976 and then delete those files. 39 39 00:01:09,976 --> 00:01:11,381 Anything that I have on the system 40 40 00:01:11,381 --> 00:01:13,189 could be found by a system administrator, 41 41 00:01:13,189 --> 00:01:16,306 so I want to clean up as much as possible. 42 42 00:01:16,306 --> 00:01:17,698 Modifying the evidence. 43 43 00:01:17,698 --> 00:01:18,902 So when I modify the evidence, 44 44 00:01:18,902 --> 00:01:21,398 I'm gonna change the contents of the log files. 45 45 00:01:21,398 --> 00:01:23,536 So I might go into a log file and change it 46 46 00:01:23,536 --> 00:01:26,326 so that my IP is not the one that's being shown. 47 47 00:01:26,326 --> 00:01:27,685 So the other thing you have to worry about 48 48 00:01:27,685 --> 00:01:29,372 is the time on the files. 49 49 00:01:29,372 --> 00:01:33,222 So if I have a log file, and I've edited that IP right now, 50 50 00:01:33,222 --> 00:01:35,917 then the time modified is going to show up as right now, 51 51 00:01:35,917 --> 00:01:38,539 not the last time the system administrator used it. 52 52 00:01:38,539 --> 00:01:40,505 So what I can use is the program Timestomp 53 53 00:01:40,505 --> 00:01:42,473 as part of Meterpreter to actually change 54 54 00:01:42,473 --> 00:01:45,754 that last access time to a time in the past, 55 55 00:01:45,754 --> 00:01:48,281 so that it won't look suspicious that I did this today. 56 56 00:01:48,281 --> 00:01:49,404 Again, anything that I can do 57 57 00:01:49,404 --> 00:01:50,990 to throw those system administrators off 58 58 00:01:50,990 --> 00:01:53,522 is gonna be better for me as the attacker. 59 59 00:01:53,522 --> 00:01:56,464 The other thing I wanna do, is I can change user identities. 60 60 00:01:56,464 --> 00:01:58,128 Instead I wanna change that instead of saying 61 61 00:01:58,128 --> 00:01:59,510 user Jason has done this, 62 62 00:01:59,510 --> 00:02:01,696 I want to say user Bob has done this. 63 63 00:02:01,696 --> 00:02:04,144 Any of those things that can throw the system administrators 64 64 00:02:04,144 --> 00:02:07,713 off my scent is always a good thing for me. 65 65 00:02:07,713 --> 00:02:09,268 So how do you use Timestomp? 66 66 00:02:09,268 --> 00:02:11,151 Well, there's a couple of different ways. 67 67 00:02:11,151 --> 00:02:12,167 I talked about the fact 68 68 00:02:12,167 --> 00:02:13,904 that Meterpreter has a built-in tool for this, 69 69 00:02:13,904 --> 00:02:16,303 but if you're using Linux, Unix, or OSX, 70 70 00:02:16,303 --> 00:02:18,246 there's also two other ways you can do this. 71 71 00:02:18,246 --> 00:02:19,746 One is you can use touch. 72 72 00:02:19,746 --> 00:02:20,826 And what touch does 73 73 00:02:20,826 --> 00:02:23,506 is actually updates the time to the current time. 74 74 00:02:23,506 --> 00:02:26,296 This is not as useful as using something like Timestomp, 75 75 00:02:26,296 --> 00:02:28,116 because it's gonna make it as if we modified 76 76 00:02:28,116 --> 00:02:29,808 it right this second, 77 77 00:02:29,808 --> 00:02:33,790 which may not be the most covert thing for us to be doing. 78 78 00:02:33,790 --> 00:02:36,117 The other thing we can do is use ctime, 79 79 00:02:36,117 --> 00:02:38,631 which changes the to a given date and time. 80 80 00:02:38,631 --> 00:02:40,052 This is a lot more useful, 81 81 00:02:40,052 --> 00:02:41,994 and is essentially what we're doing with Timestomp 82 82 00:02:41,994 --> 00:02:43,518 inside of Meterpreter. 83 83 00:02:43,518 --> 00:02:44,579 So I can go back and say, 84 84 00:02:44,579 --> 00:02:46,841 hey the last time this file was accessed 85 85 00:02:46,841 --> 00:02:50,051 was two and a half weeks ago at 1:38 p.m. 86 86 00:02:50,051 --> 00:02:53,557 That's what ctime allows you to do. 87 87 00:02:53,557 --> 00:02:54,858 Another thing you can do, 88 88 00:02:54,858 --> 00:02:56,521 is you can actually turn off logging. 89 89 00:02:56,521 --> 00:02:58,773 So let's say I broke into the system right now. 90 90 00:02:58,773 --> 00:03:00,452 One of the first things I might want to do, 91 91 00:03:00,452 --> 00:03:03,756 is disable logging, go do all my exploitation, 92 92 00:03:03,756 --> 00:03:05,705 and then re-enable logging. 93 93 00:03:05,705 --> 00:03:07,630 That way, I don't have to go and clean up 94 94 00:03:07,630 --> 00:03:09,700 300 different things that I did, 95 95 00:03:09,700 --> 00:03:12,948 I only have to clean off the initial getting on the system, 96 96 00:03:12,948 --> 00:03:15,094 and the initial getting off the system. 97 97 00:03:15,094 --> 00:03:18,178 Auditpol is a command-line tool from the NT Resource Kit. 98 98 00:03:18,178 --> 00:03:19,930 This is how you can actually disable logging 99 99 00:03:19,930 --> 00:03:21,430 inside of Windows. 100 100 00:03:23,263 --> 00:03:24,831 One of the other ways that we can do things 101 101 00:03:24,831 --> 00:03:26,660 is we can clear off those log files. 102 102 00:03:26,660 --> 00:03:29,946 Now, Winzapper, Evidence Eliminator, Elsave 103 103 00:03:29,946 --> 00:03:31,807 these will all erase log files. 104 104 00:03:31,807 --> 00:03:33,672 If you're in Linux, a lot of those log files 105 105 00:03:33,672 --> 00:03:35,293 are text-based files. 106 106 00:03:35,293 --> 00:03:36,916 So you can actually just delete those files. 107 107 00:03:36,916 --> 00:03:39,360 Now the problem is, while this does cover your tracks, 108 108 00:03:39,360 --> 00:03:41,425 and they won't be able to track it back to you, 109 109 00:03:41,425 --> 00:03:42,740 it is very obvious. 110 110 00:03:42,740 --> 00:03:43,772 Because system administrators 111 111 00:03:43,772 --> 00:03:45,501 are used to looking at log files. 112 112 00:03:45,501 --> 00:03:48,271 And if they go to the log files and there is no log file, 113 113 00:03:48,271 --> 00:03:50,023 they're going to know they have been hacked. 114 114 00:03:50,023 --> 00:03:52,167 And so this is something you only want to do 115 115 00:03:52,167 --> 00:03:54,922 if you run out of time and you can't modify those log files, 116 116 00:03:54,922 --> 00:03:58,621 that's when you'd go and clear the entire log files. 117 117 00:03:58,621 --> 00:04:01,502 Now, the other thing here is that, as an ethical hacker, 118 118 00:04:01,502 --> 00:04:03,081 we have no use to do this. 119 119 00:04:03,081 --> 00:04:05,149 There's no reason we would ever clear the log files, 120 120 00:04:05,149 --> 00:04:08,069 because we're gonna cover up bad guys as well as ourself, 121 121 00:04:08,069 --> 00:04:09,326 if we do this. 122 122 00:04:09,326 --> 00:04:10,806 So in an ethical hacking event, 123 123 00:04:10,806 --> 00:04:12,329 you will not be clearing the log files. 124 124 00:04:12,329 --> 00:04:16,764 You may modify them, but you will never clear them. 125 125 00:04:16,764 --> 00:04:18,291 So while I'm on the system, 126 126 00:04:18,291 --> 00:04:20,389 what are some other ways I can hide myself? 127 127 00:04:20,389 --> 00:04:22,267 Well besides disabling log files, 128 128 00:04:22,267 --> 00:04:24,491 and deleting log files, and modifying log files, 129 129 00:04:24,491 --> 00:04:26,674 I can also hide files and folders. 130 130 00:04:26,674 --> 00:04:29,044 So, if I'm using a Linux or a Unix system, 131 131 00:04:29,044 --> 00:04:31,045 hidden files are going to start with a dot. 132 132 00:04:31,045 --> 00:04:32,450 If you're using Windows, 133 133 00:04:32,450 --> 00:04:34,803 we can do things like an alternate data stream. 134 134 00:04:34,803 --> 00:04:36,348 And we'll go through this is a lab environment 135 135 00:04:36,348 --> 00:04:37,680 to show you how easy it is 136 136 00:04:37,680 --> 00:04:39,439 to do an alternate data stream as well. 137 137 00:04:39,439 --> 00:04:42,224 Another way you can do this is you can use hidden attributes 138 138 00:04:42,224 --> 00:04:44,154 So in Windows you do the plus-h, 139 139 00:04:44,154 --> 00:04:46,405 that's going to show it as a hidden file. 140 140 00:04:46,405 --> 00:04:49,099 You can also put files into low-traffic areas. 141 141 00:04:49,099 --> 00:04:51,016 How often do people go and look at the 142 142 00:04:51,016 --> 00:04:54,739 C:\Windows\System32 folder? 143 143 00:04:54,739 --> 00:04:56,078 Probably not very often. 144 144 00:04:56,078 --> 00:04:58,308 So we can hid some stuff in there if we wanted to. 145 145 00:04:58,308 --> 00:04:59,605 The other thing that you can do 146 146 00:04:59,605 --> 00:05:01,467 is you can hide things in slack space. 147 147 00:05:01,467 --> 00:05:03,259 Slack space is not directly accessible 148 148 00:05:03,259 --> 00:05:04,638 by the operating system. 149 149 00:05:04,638 --> 00:05:06,075 But there's tools that you can use 150 150 00:05:06,075 --> 00:05:09,436 to go and use that empty space on the hard drive, 151 151 00:05:09,436 --> 00:05:12,270 and put files there that are then accessible to you, 152 152 00:05:12,270 --> 00:05:14,911 and not to the general public. 153 153 00:05:14,911 --> 00:05:16,369 Alternate data streams. 154 154 00:05:16,369 --> 00:05:17,957 So alternate data streams provide a method 155 155 00:05:17,957 --> 00:05:20,863 to hid malware on an NTFS file system. 156 156 00:05:20,863 --> 00:05:23,063 So these streams are almost completely hidden, 157 157 00:05:23,063 --> 00:05:25,530 the file size won't really increase that much, 158 158 00:05:25,530 --> 00:05:27,978 and you'll be able to hide files inside other files. 159 159 00:05:27,978 --> 00:05:29,556 And the way you do this, is you're gonna do: 160 160 00:05:29,556 --> 00:05:33,909 type, the file you wanna hide, a right caret, 161 161 00:05:33,909 --> 00:05:35,760 the file you want to hide it in, colon, 162 162 00:05:35,760 --> 00:05:37,142 and then the file you were hiding. 163 163 00:05:37,142 --> 00:05:40,601 So, for example, if I was hiding notepad inside of calc, 164 164 00:05:40,601 --> 00:05:45,533 I would do type, notepad.exe, right caret calc.exe, 165 165 00:05:45,533 --> 00:05:47,738 colon, notepad.exe 166 166 00:05:47,738 --> 00:05:49,038 Now when I would run it, I'm just gonna do 167 167 00:05:49,038 --> 00:05:51,788 start calc.exe colon notepad.exe. 168 168 00:05:52,821 --> 00:05:55,376 Again, I'm running that hidden file, notepad, 169 169 00:05:55,376 --> 00:05:57,319 which is hidden inside of calc. 170 170 00:05:57,319 --> 00:05:59,587 Now, what does that look like in a real system? 171 171 00:05:59,587 --> 00:06:01,123 Well if you notice here on the top, 172 172 00:06:01,123 --> 00:06:03,603 I have calc.exe as a 91k file. 173 173 00:06:03,603 --> 00:06:07,758 A 91,408 bites is actually how large it is. 174 174 00:06:07,758 --> 00:06:10,670 Now I'm gonna hide notepad inside of calc. 175 175 00:06:10,670 --> 00:06:12,607 Did it make it go any larger? 176 176 00:06:12,607 --> 00:06:15,810 No, it's still 91 hundred 408 bites. 177 177 00:06:15,810 --> 00:06:18,343 So, for all intents and purposes, you can't see the fact 178 178 00:06:18,343 --> 00:06:19,644 that I have notepad inside of 179 179 00:06:19,644 --> 00:06:21,831 calc in the bottom part of the screen. 180 180 00:06:21,831 --> 00:06:22,848 But, it is there. 181 181 00:06:22,848 --> 00:06:26,846 And if I type start calc.exe colon notepad.exe, 182 182 00:06:26,846 --> 00:06:30,179 it will launch a notepad program for us. 183 183 00:06:31,143 --> 00:06:33,410 So we talked about hiding in the slack space. 184 184 00:06:33,410 --> 00:06:35,180 In Linux we have a program called Bmap. 185 185 00:06:35,180 --> 00:06:37,929 And we can use that to hide files in the slack space. 186 186 00:06:37,929 --> 00:06:39,636 What exactly is the slack space? 187 187 00:06:39,636 --> 00:06:42,639 Well, when you put in a file, on a hard drive, 188 188 00:06:42,639 --> 00:06:44,788 a hard drive is actually divided into sectors. 189 189 00:06:44,788 --> 00:06:46,450 And there's sometimes extra space. 190 190 00:06:46,450 --> 00:06:48,398 We call that the slack space. 191 191 00:06:48,398 --> 00:06:51,459 So when the file ends, for instance in the picture here, 192 192 00:06:51,459 --> 00:06:54,283 here I have six and a half parts out of eight 193 193 00:06:54,283 --> 00:06:56,356 are taken up by that green file. 194 194 00:06:56,356 --> 00:07:00,254 That left about one and a half of orange that is empty. 195 195 00:07:00,254 --> 00:07:02,004 Now that empty space can actually be used and 196 196 00:07:02,004 --> 00:07:03,382 hide files in there. 197 197 00:07:03,382 --> 00:07:06,288 The file system won't read it, they won't realize it's there 198 198 00:07:06,288 --> 00:07:08,217 But I'll know it's there, as the attacker, 199 199 00:07:08,217 --> 00:07:10,528 and I can actually go in and put my files in there 200 200 00:07:10,528 --> 00:07:12,565 and use that extra empty space. 201 201 00:07:12,565 --> 00:07:13,793 It's a great place to hide. 202 202 00:07:13,793 --> 00:07:16,893 It makes it very hard for people to find your stuff. 203 203 00:07:16,893 --> 00:07:17,726 Another way we can hide 204 204 00:07:17,726 --> 00:07:19,628 is by installing rootkits and backdoors. 205 205 00:07:19,628 --> 00:07:21,217 Now, what is a rootkit? 206 206 00:07:21,217 --> 00:07:22,676 Rootkits were originally only on Linux, 207 207 00:07:22,676 --> 00:07:24,294 but now they're on Windows too. 208 208 00:07:24,294 --> 00:07:28,636 Some good examples are FU, Vanquish, Hacker Defender, AFX. 209 209 00:07:28,636 --> 00:07:31,188 And what rootkits are, is they actually, will actually 210 210 00:07:31,188 --> 00:07:35,045 bind into the operating system themself, and hide themselves 211 211 00:07:35,045 --> 00:07:37,598 so that it can actually take over some of the commands. 212 212 00:07:37,598 --> 00:07:39,751 So when a system administrator is giving commands, 213 213 00:07:39,751 --> 00:07:40,831 it's actually giving commands 214 214 00:07:40,831 --> 00:07:42,813 where it thinks to the operating system, but it's not. 215 215 00:07:42,813 --> 00:07:44,070 It's giving it to the rootkit, 216 216 00:07:44,070 --> 00:07:46,299 who then gives them back false information. 217 217 00:07:46,299 --> 00:07:49,463 This allows us to hide and keep ourselves hidden longer. 218 218 00:07:49,463 --> 00:07:51,734 Another thing we can do is we can setup backdoors. 219 219 00:07:51,734 --> 00:07:53,316 And again, like I talked about before, 220 220 00:07:53,316 --> 00:07:55,271 those backdoors can be things like callouts, 221 221 00:07:55,271 --> 00:07:57,778 and we can do that with scheduling and timing. 222 222 00:07:57,778 --> 00:07:59,747 So, for Windows how do we do that? 223 223 00:07:59,747 --> 00:08:02,240 We can use SC, which is managing our services. 224 224 00:08:02,240 --> 00:08:03,788 We can start and stop services 225 225 00:08:03,788 --> 00:08:05,787 that would start and stop our malware. 226 226 00:08:05,787 --> 00:08:08,693 We can use netsh which will modify our Windows firewall 227 227 00:08:08,693 --> 00:08:10,028 opening up ports, 228 228 00:08:10,028 --> 00:08:11,326 and then we can use at 229 229 00:08:11,326 --> 00:08:13,640 which is an automatic time scheduler. 230 230 00:08:13,640 --> 00:08:15,631 It will schedule programs to run at certain times. 231 231 00:08:15,631 --> 00:08:17,640 So maybe every morning at two a.m. 232 232 00:08:17,640 --> 00:08:19,288 I want the Windows system to go 233 233 00:08:19,288 --> 00:08:21,518 and do a ping back to my host. 234 234 00:08:21,518 --> 00:08:22,942 That tells me that that Windows system 235 235 00:08:22,942 --> 00:08:24,434 is still under my control, 236 236 00:08:24,434 --> 00:08:26,295 and available for me, if I need it. 237 237 00:08:26,295 --> 00:08:28,612 That could be something like a beacon. 238 238 00:08:28,612 --> 00:08:30,390 And that's one of the ways that I can use that, 239 239 00:08:30,390 --> 00:08:31,607 is so I can know, hey, 240 240 00:08:31,607 --> 00:08:34,001 all the systems will call back to me at two a.m. 241 241 00:08:34,001 --> 00:08:36,556 I get one ping from them, every 24 hours, 242 242 00:08:36,556 --> 00:08:38,103 I know they're still mine. 243 243 00:08:38,103 --> 00:08:39,760 And then, if that doesn't come back, 244 244 00:08:39,760 --> 00:08:41,626 I know that either the machine is off, 245 245 00:08:41,626 --> 00:08:46,252 or that the defenders have found me and cleared my malware. 246 246 00:08:46,252 --> 00:08:47,997 Now on Linux, and Unix, and OSX, 247 247 00:08:47,997 --> 00:08:49,536 we use things like cronjobs. 248 248 00:08:49,536 --> 00:08:52,400 Crontab will set up tasks to run in the future. 249 249 00:08:52,400 --> 00:08:54,627 This is like the at command we had in Windows. 250 250 00:08:54,627 --> 00:08:57,264 And at also works in Linux and Unix, 251 251 00:08:57,264 --> 00:08:59,055 so you can schedule programs to run at certain times, 252 252 00:08:59,055 --> 00:09:01,130 just like we did in Windows. 253 253 00:09:01,130 --> 00:09:03,857 Again, that's an automated time setup for the future. 254 254 00:09:03,857 --> 00:09:05,410 You can have it do anything you want. 255 255 00:09:05,410 --> 00:09:07,665 I've set up some at jobs on people where 256 256 00:09:07,665 --> 00:09:08,649 at three in the morning, 257 257 00:09:08,649 --> 00:09:10,655 it will actually start playing music for them. 258 258 00:09:10,655 --> 00:09:11,686 And the reason why we do that is 259 259 00:09:11,686 --> 00:09:13,028 it can be used like an alarm clock. 260 260 00:09:13,028 --> 00:09:15,301 Or again, as one of those prank things, 261 261 00:09:15,301 --> 00:09:17,513 or one of those things to show system administrators, 262 262 00:09:17,513 --> 00:09:20,426 hey, I got you, you didn't find me, it's been three weeks, 263 263 00:09:20,426 --> 00:09:22,655 so now I'm gonna set off music at three in the morning 264 264 00:09:22,655 --> 00:09:24,451 so you'll know that I'm there. 265 265 00:09:24,451 --> 00:09:25,544 So there's lots of different ways 266 266 00:09:25,544 --> 00:09:26,762 that we can cover our tracks, 267 267 00:09:26,762 --> 00:09:29,519 that we can place backdoors as we go through our systems. 268 268 00:09:29,519 --> 00:09:31,720 These are just a small quick summary 269 269 00:09:31,720 --> 00:09:32,998 of some of the minor ones. 270 270 00:09:32,998 --> 00:09:34,706 line:15% So now that we've talked about 271 271 00:09:34,706 --> 00:09:36,922 line:15% some of the ways we can cover our tracks and place backdoors 272 272 00:09:36,922 --> 00:09:38,449 line:15% we're going to go into our lab environment, 273 273 00:09:38,449 --> 00:09:40,553 line:15% and we're gonna play with both the alternate data streams 274 274 00:09:40,553 --> 00:09:41,828 line:15% and the time schedule.