Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Host Intrusion Detection like a Boss

559 views

Published on

Introduction to the stealth mode functionality an open source Host Intrusion Detection System called Samhain and analysis on how exactly it applies it in the operating system.

Published in: Technology
  • Be the first to comment

Host Intrusion Detection like a Boss

  1. 1. C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  2. 2. $whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  3. 3. $cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
  4. 4. $patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
  5. 5. But also... • Multi-admins environment
  6. 6. $samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
  7. 7. • File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
  8. 8. $samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
  9. 9. $samhain –h | grep ‘Stealth Mode’
  10. 10. $samhain –h | grep “Stealth Mode”
  11. 11. $samhain –h | grep “Stealth Mode”
  12. 12. env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
  13. 13. Take some precautions!
  14. 14. echo $Precautions Document the stealth name!
  15. 15. echo $Precautions $ history -c
  16. 16. echo $Precautions
  17. 17. echo $Precautions
  18. 18. echo $Precautions
  19. 19. echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
  20. 20. echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html
  21. 21. $read Questions

×