166. Convert Channels (OBJ 3.7)
Covert Channels. Now, in the last lesson on data exfiltration, I talked about overt channels. Things like FTP, or peer-to-peer, or instant messaging, that are obvious ways to send data. But data exfiltration can also happen over covert channels. We talked about this by hiding data inside of DNS and other methods like this. In this lesson, we’re going to talk more about what a covert channel is. Now, a covert channel is a communications path that allows data to be sent outside of the network without alerting any intrusion detection or data loss countermeasures. Now, covert channels can enable the stealthy transmission of data from node to node using means that your security controls simply don’t anticipate. For instance, if you don’t tune your IDS to start looking at those DNS records, that would be a covert channel. You might have a covert channel that is sending information over ICMP echo reply packets, which are what we send out in response to a ping. Again, a lot of IDSs aren’t looking for that type of information. So as we go through the rest of this lesson, we are going to talk about some different covert channels.
First, you might find a covert channel that takes advantage of egress filtering not being applied to a firewall. This way, they can transmit data over a non-standard port and send information out. Second, you might have data that gets encoded. And that encoded data is then sent out as part of the TCP/IP packet headers. So we may take data, encode it as part of an echo reply for ICMP or part of a DNS text record and send it out. By doing this, it can evade detection. The third thing we can do is we can start segmenting data into multiple packets. By chunking up that data into multiple packets, these can be sent at separate times and this can help you evade signature analysis and data loss prevention. Because a lot of these signature analysis and data loss prevention tools only use a short window. And so that might be 30 seconds or 60 seconds when they start reconstructing packets to search for signatures. If you sent out a packet right now and a packet in three minutes and another packet in three minutes after that, that may get through the sensors and not trigger any alerts.
The fourth thing you might look at is obfuscating data using hex. This way, you can transmit strings of data using hex code instead of using character strings. By using hex, it can get through the sensors because the sensors may be looking for an ASCII string and not a hex string. The fifth type of covert channel is when you start transmitting data in an encrypted format. By sending it out through an encrypted format like an SSL or TLS tunnel, this can prevent inspection as it leaves the network unless somebody has a break and inspect device sitting at the edge of their network. So if you’re working as a network defender, what kind of things can you do to mitigate against these different types of covert channels? Well, the best thing to do is use advanced intrusion detection or user behavior analytics tools. These are going to be your best options to help detect those covert channels, but keep in mind they are not foolproof and they will not detect everything. As I’ve said before, as the defenders get better, so do the attackers. And so we’re constantly having this chess match where each side is trying different things to get something by the other one.
The attacker is trying to evade the defender, and the defender is trying to figure out what the attacker is doing or block their future attacks. Now, when we look at covert channels, these can be created using two different methods. We can use storage or timing as our methods of a covert channel. When we talk about a covert storage channel, this is going to utilize one process in the computer to write to a storage location. And then it’ll use a different process to read from that location. By splitting up this reading and writing function, it can actually be a covert channel that cannot be detected by the operating system, kernel. The second type of covert channel we can have is covert timing channels. Now these are going to utilize one process to alter a system resource so that changes in its response time can actually signal information to a recipient process. Now for this exam, you don’t have to know these two types of channels in depth and how they operate. But just keep in mind that covert storage channels use storage to be that covert method where I write to one part and then read from that part of the drive.
And covert timing is going to use different timing and sequences to pass information off. For instance, I might send out a ping packet and I can actually translate that into Morse code. So every time I send out a ping packet on an even number or an odd number second, that might tell me whether it’s a dot or a dash. Now there are lots of different methods you can use with timing channels, and you can create them as complex or as simple as you want as an attacker. But it’s just something to be aware of as a defender as you start seeing unusual things, think, is this possibly a timing channel or is this possibly a storage channel that I should look into? Now, in addition to this, sometimes you’ll have a covert channel that’s actually a hybrid of the two. And we’ll actually combine the storage ability and the timing channel ability. This way, an attacker can evade detection as well.
167. Steganography (OBJ 3.7)
In this lesson, we’re going to learn a little bit about steganography, including how to perform steganography and what tools may be used to do steganography. Steganography is this hiding technique, where we’re trying to hide data in plain sight. Essentially, steganography is the practice of concealing data within another file, message, image, or video. Now, there are lots of modern tools out there that can help you hide digital information, so that the human eye cannot tell the difference. For instance, there’s this Java tool called LSB Steganography, and you can put a secret message of text in the top part of this blank, you’ll upload an image, which is the original image on the left side, and then you will end up saving that text into the image. Now, if you look at that image with the naked eye, you cannot tell the difference, but what’s ended up happening here is that in the background, those words of ASCII text have been converted into ones and zeros, and they have slightly modified one pixel here and one pixel there in that final image, and those single pixels are only being changed by a fraction of a bit, so, it might be yellow, and now it’s a little bit of a lighter yellow.
This one might have been a green color, and now it’s a little bit of a darker green, and all those ones and zeros are put throughout that image, and it does affect the image quality just a little bit, but it doesn’t really add to the file size or change the file much at all, and so, it’s very easy to hide information in these files. Now, the reason we call it, hiding in plain sight, is because there is no encryption here. Anybody who has this tool can actually take that steganography image, load it into the tool, and then pull out the data, back to the text as well. Now, the reason I wanted to bring up steganography to you is not because it’s used heavily inside the attacker workspace, in fact, it’s one of the least common ones that I’ve seen out in the wild. But it is important to think about, because data loss countermeasures do inspect outgoing packets for a lot of different signatures.
And they’re looking at those signatures to see if they match a database of known file signatures, but if I take that file and I put it inside another file, such as I did here with this text, putting it inside the image, that will actually be circumvented from that countermeasure signature matching, because we’re not going to match that text, that text now became this image, or we’re not going to match the original image, because now we have the text embedded in it, and that changes the file a little bit. So, this is something to keep in mind as you’re looking at it. In addition to using text and images, you can use audio files, video files, pretty much whatever you want, and you can hide other data inside of those type the files, and then pull it out using steganography. If you’ve ever seen an old spy movie where one spy takes out a classified ad in the newspaper, and the first letter of each word makes up the secret message, something like, meet at six, this is a version of steganography.
No, the data isn’t going to be encrypted when you do this, it’s just going to be hidden inside another message. And if you know what the key and what you’re looking for, then it’s really easy to see the message inside, wherever it’s being hidden. So, in the case of my newspaper example, writing down the first letter of each word gives you the secret message. Now, basically, if anybody knows where to look, they can easily pull that data back out. So, let’s jump into the lab environment and see how easy it is to hide some data, inside a standard photograph, using a steganography tool, and then getting that back out on the other side. To conduct this demonstration, we’re going to load a steganography program up inside our web browser. You can try this at home if you want to. All you have to do is go to this website as see on the screen, stylesuxx.github.io/steganography/ and hit Enter. When you get to the screen, you’re going to be asked to choose a file. So, I’m going to go ahead and choose a file off my desktop, which is my logo, Diontraining.png, and then you’re going to type in whatever the message is you want to hide. “This is a secret message “for my students only! “Steganography is fun!” Okay, so, we’re going to go ahead and hit Encode, and when you do that, you’ll see what your binary representation of your message is, you’ll see the original you had, you’ll see the normalized version of it, and notice these logos all look the exact same, and then you’ll have the hidden message version. If you right-click that and save it, you can go ahead and save it to your desktop, and I’m going to do it as Diontrainingmessage, and you’ll see it there on my desktop.
Now, if I look at these two files, side-by-side, we’ll have the Diontraining one, up here, and the hidden message one, right here. They look identical in every way, don’t they? Right, exactly, they do. And so, if we go ahead and close these, we can actually look at the file size of them. And so, here we have the one on the left here, the one on the left is Diontraining.png, which is the original, and you can see the file size, or the dimensions of it, are the exact same as the new one, we haven’t changed that at all. But we did change the file size, and we went from 74 kilobits down to 57 kilobits. Why, if we put more information, did the file size shrink? Well, it’s because the way they re-encoded it to make sure the images looked exactly right, and the compression they used. Sometimes, the file size will get bigger as well, but it is very infrequent that you’ll see the same file size.
So, this may be one way that we know the file has been changed. Now, if we want to see the actual message inside of it, let’s go over here to Decode, and let’s go ahead and choose the original file, and if we hit Decode, you’ll see that there is no message inside that one. See, there was no hidden message, it came out garbage, because there was no hidden message. But if I choose the one that we hid the message inside of, we hit Open, and hit Decode, you’ll see that our hidden message comes right back. “This is a secret message for my students only! “Steganography is fun!” And so, if you want to play with this, you can, you can go through and do some of this and send it to your friends and have them send you messages back. But remember, the information isn’t encrypted when you’re doing the steganography, you’re hiding it in plain sight. So, if I actually decided to open up Deontrainingmessage.png, the one that has this hidden message in it, inside of a hex editor, you could actually find that message hidden inside of it, it’s not encrypted.
168. Covering Your Tracks (OBJ 3.7)
Covering your tracks. So we’ve come a long way. We started out with trying to gather information about the network and fingerprinting it. We then matched vulnerabilities to exploits. We ran those exploits. We then tried to escalate our privileges to get better permissions. And then we started spreading out laterally across the network and started creating persistence. But when we did all of that, we’re leaving breadcrumbs all along the way, and we can get caught pretty easily. So we might want to cover our tracks if we were an attacker, or we’re trying to emulate an attacker as an advanced persistent threat or higher-level attacker during a pen test. So how do we do that? Well, we can cover our tracks by erasing, modifying, or disabling the evidence. Namely log files, right? We can clear those log files and edit those log files. We can also delete all the malware we’ve been putting into the system. And we can hide things in our files and folders using specified methods.
So how do we do all this? Well, if we want to erase, modify, or disable the evidence, this is where we’re going to remove any unneeded files or tools that we added to the victim’s system. So if I got into, say, John’s computer and I installed an SSH server on there so that I can then connect in anytime I wanted, now that I’m done with John’s computer, I’ve moved on to the server, I may want to remove that from John’s computer, right?
And so, anytime I’m hiding things, I want to figure out where is the best way to hide them so the defenders don’t see it and the users don’t see it. Because if a user sees it, they may call a defender to come look at it. So I’m going to hide my files and resources in hidden and uncommon locations. If I’m using Unix, Linux, or OS X, I can create a folder starting with a dot in front of it, or a period. That means it’s a hidden folder, and when they do a directory listing using ls, they’re not going to see it.
Now, if you’re on a Windows system, you also can hide stuff in other places. You can hide stuff in the System32 folder, because users don’t go there very often. You might put it in the Users folder under their app roaming data, because the administrators don’t look in there very often. You can apply hidden attributes to it.
You can use alternate data streams where you put one file hidden inside another file. In the example here, I’m hiding the Notepad application inside the Calc application. And so, if I deleted the original Notepad application, you wouldn’t see it anymore. But it still exists as part of that Calc application as an alternate data stream. And so I can start it by doing start calc.exe:notepad.exe. Okay? If I did a dir in that directory, I would only see the Calc file. I can also hide files in the slack space. Again, this slack space hiding things is probably not something that as a pen tester I’m going to do. But as an attacker, this is something that they might do to able to hide things in a very, very covert way.
Next, we have log files, right? And you can clear those log files, and you can just delete them completely. And then they would never know that you were there, right? Well, they would know you were there, but they would have no idea how you got in or where you’re hiding, right? Because they would know something’s wrong if all their log files disappeared. In Windows, the log files they’re concerned with are system logs, application logs, security logs, and event logs. For Linux, all your log files are generally stored in the var/logs folder. Now, as a pen tester, you should not be deleting the log files. You need to check your scope of work, but almost every scope work will say do not modify log files. Do not delete log files, right? Because that is what the defenders need to do their job and protect themself from real threats that are out there, in addition to your pen test.
If your scope of work does allow you to delete or clear log entries, you can do that with multiple different methods. If you’re using Meterpreter, you can issue the clearev command which will clear all of the Windows Event logs. If you’re using the command line interface inside of Windows on a target machine, you can use W-E-V-T-U-T-I-L, which is the Windows Event utility, and then cl for clear, and then Application to clear the application log, for example. If you’re on a Linux system, it’s even easier to clear the logs because all logs on a Linux system are considered text files. For example, if you wanted to clear the sys log file, you could do that very easily by typing echo “”, which is basically blank, > /var/log/syslog, and this will overwrite the syslog file with a blank character and it will effectively clear the entire logs. Now, in some cases, you don’t want to clear the entire log, you just want to clear out specific entries. In this case, you might want to use a tool like the Stream Editor.
The Stream Editor has the ability to search, find, delete, replace, insert, or edit anything inside of that file without even having to open the file. It can do this by using the command sed, S-E-D, which is the Stream Editor, -i, quote, the thing you want to search for, and then the name of the log file. For example, I might use sed -i ‘malware’ /var/log/auth.log to search through the auth log and find anything that had the word malware in it. Now, the next thing you can do besides clearing those log files, as an attacker, is you can modify them. So log files are just text files, right? They can be edited. You can go in and change IP addresses.
So instead of saying that I came from 8.8.8.8, I can change it to 4.4.4.4, or whatever your IP is, right? And that way, you can throw the defenders off of your scent. Now, these log files, when you change them, are going to update the time and the user who last touched them. And so that can be an issue. And so you’ll want to do a timestomp to be able to change the time so that they don’t recognize that you’ve modified these logs. You also want to change the file’s ownership back to the original user. Because if it was owned by the administrator and you changed it when you modified it, it’s now going to change its ownership to you.
And so, again, you’re going to need to change that back. But as a pen tester, we don’t do this stuff very often because we don’t want to mess with the log files that are really needed by the organization. If you’re going to do any modification or deleting of log files, there should be a clause in your scope of work that says you must retain a good copy on your pen test system so you can give that to the organization and put it back when you’re done. Now, when we talk about timestomping, what is that? Well, it’s changing the access time of a file to a time that you want as the attacker. If you use touch and the file name, it will update the time to the current time of the system, which is good for things like firewall logs that are constantly being updated.
Now, if you have a file, like, you went and overwrote a DLL that was written back in 2014, touch isn’t going to help you ’cause it’s going to give you today’s 2018 date. Instead, you’re going to want to use ctime. Now, ctime will change the time of a file to a given date and time. So I can say that it was 11:45 at night on February 12th, 2014 if I wanted to. Now, Meterpreter has a timestomp tool built into it as well. So while you have that interactive shell access, you can actually timestomp your files directly using Meterpreter, in addition to using the touch or the ctime command. To use Meterpreter to timestomp your logs, simply type in timestomp, the name of the file, and then -m, quote, the date and time, end quote, that you want to use. For example, timestomp log.txt -m 02/03/2022 10:11:12 to be able to set it to February 3rd, 2022 at 10:11 and 12 seconds. Another method of covering your tracks is to remove the history inside of the Bash shell. Remember, anytime you’re using the Bash shell inside of Linux, by default, it is going to keep track of all the history of commands you’ve done.
So if you’d like to overwrite this, simply type in the command export HISTSIZE=0, which will set the history size to zero on the system, before you start running all of your exploits and entering commands into the Linux shell. Now, if you didn’t do this before you started running all of your attacks and exploits, you can cover your tracks after the fact by erasing the history. To do this on a Linux machine in the Bash shell, simply enter echo ” ” > ~/.bash_history, and hit Enter. Another way to do this is to clear the history by entering history -c and hitting Enter. If you’re working on a Windows system in the Command Prompt, you can clear the history of the Command Prompt by pressing Alt F7 or by terminating the process, because Windows does not remember all of your commands by default. If you’re using PowerShell though, Windows does retain history.
So you want to clear that history by using the Clear-History commandlet inside of PowerShell. Finally, we can shred files if we want to make sure we’re erasing things so they can’t be found again. On a Linux system, we can shred a file using the shred command. To do this, simply type in shred -zu and then the file name you want to shred. When you shred a file, it is going to overwrite that area of the hard drive with zeros to hide the evidence that was previously there. So even if someone tries to use forensic techniques to recover the files that you used, those files will no longer be there, and instead, just a series of zeros will be.
If you’re on Windows, there is no built-in command equivalent to do file shredding. But you can overwrite the entire volume with zeros if you’re going to format the drive. To do this, you’ll type format, the drive letter, /fs:NTFS /p:1. The /p option tells you how many passes of zeros you want to overwrite that hard drive with. Again, as a penetration tester, it is rare you’re going to actually overwrite the hard drive with a series of zeros to delete all the contents during an engagement. But it is something you should be aware of as a defender because you might see an attacker try to cover their tracks in this way.