21. Virtually Complete Secrecy, TOR
Okay, we finished up talking about something referred to as anonymity. Now we’re going to talk about something referred to as anonymous and secure. And the utility I’m talking about is called Tor. Now, Tor stands for the onion router because it has many different layers. As a matter of fact, branch of the US. Navy developed in association with DARPA. And so while the US seems to really be bearing down hard on us for using very high level encryption, here is one that they developed themselves. It’s probably one of the most used and most difficult to get into, and I say the most difficult to get into with a grain of salt, because we’re going to poke a couple of holes in his Achilles heel as we go through this. So here’s what happens.
Tor is actually a network of virtual network tunnels that allow people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built in privacy features. All right, well, that sounds a lot like Jab, doesn’t it? Well, the difference between this and Jab is each one of the layers is encrypted. And I’ve got a diagram on the next page. I’ll go into more detail of this. So at each node, a further layer of encryption is added. So let’s kind of picture this, if you will. So what happens is the onion router function by passing a user’s traffic encrypted by the Tor client through a random series of anonymous note, exiting the Tor network through a random exit node, where it is then decrypted and passed to the destination server.
So in reality, the only person who would be able to see that message in clear text is that exit node. Again, at each node, a further layer of encryption is added. So we get an encrypted package from client A, and we in turn encrypt that again, send that to client B, which in turn encrypts it again, and so on. And you’re going to see how this kind of works here. We capture users traffic. If we were to capture a user’s traffic, it would require specific exit node used to be compromised. Due to the size and the variability of the Tor network, this makes targeted tags very unlikely to succeed. Now, as well as providing anonymity for a user to the regular web, tor has hidden service that are also accessible to users connected to the Tor network.
They are accessible by using the onion suffix. These services provide anonymity for both the client and the server. If you’ve heard of people talking about, I went out on the darknet to find things, I went out and did this on the darknet. Typically, they are talking about using Tor to do this. Okay, so let me see if I can explain this a little bit better. We already said that Tour is free software for enabling anonymous communication. Original software project name the onion router tor direct Internet traffic through a free worldwide volunteer network consisting of more than 7000 relays in order to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Now, using Tor makes it more difficult for internet activity be traced back to the user.
This includes things like visits to websites, online posts, instant messages and other forms of communication. Tours uses intended to protect the personal privacy of other users as well as their freedom and the ability to conduct confidential communication by keeping their internet activities from being monitored. Onion routing in itself is implemented by encryption, but it’s done in the application layer of the communication protocol set. So here’s where it’s going to differ a little bit. It’s nested like layers of an onion. Tor encrypts the data including the next nodes destination IP address multiple times and sends it through a virtual circuit, compromising successive randomly selected Tor relay. Each relay decrypts a layer of the encryption to reveal only the next relay.
It doesn’t decrypt all of it just so it knows what’s coming next. It does that only in the next relay in the circuit order in order to pass the remaining encrypted data to it. That the final relay decrypts the innermost layer of the encryption and sends the original data to its destination without revealing or even knowing the source IP address. Because a routing communication is partly concealed every hop the Tor circuit. This method eliminates any single point at which the communication peers can be determined through network surveillance relies upon knowing its source and destination.An adversary might try to de anonymize A user by some means.
One way this may be achieved is by exploiting vulnerable software on the user’s computer. The NSA had a technique that targeted a vulnerability which they code named Egotistical Giraffe in an outdated Firefox browser version at one time bundled with the Tor pack and in general targets Tor users for close monitoring under its ex keystore program. Attacks against Tor are an active area of academic research and are welcomed by the Tor project itself. However, Tour was not only developed for a time in the early two thousands by individuals who were on contract from DARPA and the US naval Research Laboratory, but since its inception, the bulk of its funding has come from the federal government of the United States.
So it’s almost like you want us to do this, but then you don’t want us to do this, right? Lastly, let’s just kind of finish this up by talking about the benefits of using a live CD with a security tested oriented distribution. There are many. Of the most popular one by far is Kali, Linux or Backtrack if you’re an old timer. While granting full access to the data on the machine’s hard drive, there is absolutely no danger of leaving any entries in logs or perhaps triggering securities offer because we’re booting up everything off of the Cdrom, the call of the Wild these days is don’t touch the disk. If you don’t touch the disk then it makes it very difficult for them to try and figure out how you got there and how you got into it.
You’ll also be booting up into an environment pre configured with all the security tools you’ll need. And so you’ll be all set to run whatever you need without any kind of an issue. Now unfortunately, live CDs are only usable for systems which you have physical access to and they can be booted into an alternate operating system without drawing too much attention. Well, drawing too much attention that is if somebody isn’t using that one you just took offline. This typically will offer protection if the attackers machine is seized by law enforcement because we haven’t put anything into the log. And one last little piece here and then we’re going to show you something really cool. Every one of us has heard the term VPN. I mean that is absolutely the call of the Wild, isn’t it? And VPN actually has two different modes.
We have what’s called a transport mode and we have a tunnel mode. The tunnel mode is by far the most popular. The tunnel mode actually does just as its name implies. It tunnels our network traffic inside of someone else’s network traffic and also encrypts it when it gets to its destination. It unbundles. It where our network traffic is really none the wiser. It just thinks that it took a little bit longer time getting there. So I want you to remember, an encrypted tunnel has advantages for both the security conscious user and the malicious attacker. So if we use a VPN, it should be noted that the VPN is only as secure as the exit node of the VPN. Let me explain. Let’s say you’re in a coffee shop and inside of that coffee shop you decide you want to log on to your bank.
Now if the coffee shop is kind of like the one that I have where you have to accept a self signed certificate and just all kinds of things that really make me real uncomfortable and make my skin crawl, I would opt to use a VPN. Now the VPN is going to establish a secure connection from the coffee shop to my VPN provider. Now the VPN provider very well could be my data center if you’re using something like Openvpn. But if you’re using one of the more commercial tools it will exit right there at that VPN provider. I’ll give you a little bit of a statistic. 90% of the attacks happen before you get to the ISP. Not to say that something couldn’t happen at the ISP, but if you get to the ISP you’re pretty much golden.
But we’re even getting a little further than that. We’re actually getting all the way to the VPN provider so the users can better protect against malware introgens like NAN in the middle attack, that kind of thing. Hackers often use encrypted tunnels to pipe data commands to control the remote sessions. Completely undetected both the IDs intrusion detection systems, IPS intrusion protection systems and firewall cannot read what’s in the encrypted tunnel, so consequently, it can’t act on those. Realistically, companies cannot disable SSL or Ssh unless they need to break open that connection using something like blue coat or similar, so they can see what’s inside of that.
22. RootKits – Overview
Well, I tell you guys, this has to be one of the most interesting parts of the class. And normally when I’m doing a bootcamp class, where I am in there from nine in the morning till nine at night for five days, I go into a lot more detail on this, but I’m I’m going to give you definitely your money’s worth here. The first thing I like to ask is, what is your definition of a rootkit? And some people will say a malicious software in your system. And then I would return with, okay, so you think it’s malicious. All right. Anybody else? They say malware that’s in your system. Okay, let me give you my definition of a rootkit. My definition of a rootkit is replacement for operating system files that do your bidding, as opposed to what the original manufacturer expected him to do.
So the reason I held the person up when they said, well, it’s malicious, some roofkits will say that we’re gathering information so we can send you to the correct places so you can buy the correct things, not wasting your time. I think they’re kind of missing the boat there, in my opinion. There was actually a company that installed a rootkit on our machines and didn’t even tell us about it. And you’re going to see here in just a moment or two how dangerous that was, because there’s two types of root. There’s a user mode rootkit, and there is a root level rootkit. The root level rootkit can see anything and I mean anything, our passwords or credit card data, everything.
And there was a company that after we installed a piece of their software, they installed a root kit on our machine, and it was a ring zero or a root level rootkit. Well, when some security researchers found out about it, boy, the world cried foul. I usually ask somebody in class, do you know that did that? And I’ll just go ahead and tell you since I don’t have anybody here in the room. To answer my question. It was actually the record company for Celine Dion. They wanted to make sure that you were purchasing those songs and not just pirating them. So they checked to make sure that their digital rights management was in effect. Now, one pundit at Defcon made mention one time, well, if you listen to Celine Dion, I guess you deserve a rootkit.
In reality, I kind of like Celine Dion, but I just thought it was quite funny. Let’s take a look at exactly how the rootkit works. I want you to understand right here that we have several modes of operation in our computer CPU. With the advent of the 286 processor, we had a real mode and a protected mode with the 386. We called this the X 86 processor. And the X 86 processor gave us the capability to move back and forth very easily from ring zero to ring three. Some books will refer to a ring negative one as being a hypervisor and even a ring negative two as being a bios. But in reality, those are more for just diagram type purpose. So I’m just going to focus on the ring zero and ring three. Ring zero.
When you’re running something in ring zero, it means you have access to everything. This is where things like our drivers or disk drivers, our Dll may reside in ring three. This is where our applications actually run. So Microsoft Word might be here, excel might be, and even applications like Norton Antivirus, McAfee Antivirus, the big kicker and the big caveat. To move from ring three into ring zero, you must solicit the help of the Windows API. Now, the Windows API acts as a traffic cup, and it also acts as a resource arbitrator. So, for example, if two people on the same machine wanted to delete one of the partitions of the disk, well, that just can’t end up good.
And so the Windows API would act as a resource arbitrator saying, no, someone else is using it right now. As soon as he gets done, you can use it. It also allows only certain individuals with system level privileges to do certain things like that. Okay? So it’s important to note that if we had a rootkit in ring three, most of our antivirus manufacturers would be able to find it. Although if we had a rootkit in ring zero, there is nothing that can find it. The only thing that could find a ring zero rootkit is a root kit itself. Well, let’s see how this works. What I’m going to do is I’m going to give you just an example, all right? In the Windows API, it has a number of functions, and we know the Windows API works with objects. And that object is modified by a method.
This object could be a user object, a file object, a process object, or whatever. I’m going to assume for just a moment this is a user object, and the user object equates to Tim. There is a function called, or I should say method called get next item. And all that does is simply take a list of things and move it down to the next one in the list. That’s all it does. So if I were to take that method, get next item and modify it somewhat, I could say if user is equal to tim, skip else do whatever I’m going to do, return back. True, for all practical purposes, the user Tim would cease to exist in a list of users that was using the Windows API. It would just simply disappear. Although it is still there, it would disappear.
So once installed, rootkit takes active measures to obscure its presence within the host system through a number of different mechanisms subversion or evasion of standard operating system security tools, APIs, that kind of thing. Rukus achieved this by modifying the behavior of the core parts of an operating system. Remember, we’re replacing that through loading code into other processes the installation or modification of drivers perhaps, or even kernel modules. Obfuscation techniques include concealing running processes so we don’t know that they’re running from system monitoring mechanisms and even hiding system files and other configuration data.
And it actually is not uncommon for a rootkit to disable event logging capacity of an operating system in an attempt to hide evidence of an attack. Rootkids can, in theory, subvert any operating system activity. The perfect route kit, if there was such a thing, can be thought of as a similar to a perfect crime, one that nobody realizes has even taken place. Rootkits can also take a number of measures to ensure their survival against detection and cleaning by antivirus software. In addition to commonly installed in ring Zero, which is kernel mode, where they have complete access to the system, when something comes and tries to scan them, they use a technique called a trampoline and they jump over it.
These include things like polymorphism, stealth techniques, regeneration, and even disabling the antivirus software completely. I’m going to show you a root kit and we’re going to demonstrate this and I think you’ll find it very, very interesting. But let’s just go ahead and take an overview of it. As we talked about before, the primary purpose is to allow an attacker unregulated, undetected access to a compromised system, not just once, but repeatedly, over and over and over again. Rootkits used by hackers for lots of different reasons. Maybe hide a back door, elevate and process privilege, hide files, hide registry entries, disable auditing and event logs, redirect executable file, hide device drivers, hide user accounts, a number of different things. And I’m going to show you these right now.
