Rectification:

The objectives of “Covering Tracks/Maintaining Access” as stated in most literatures of colored (black and white) hacking are as follows:

“The following is a list of goals for maintaining a foothold:

 Establish multiple access methods to target network

 Remove evidence of authorized access

 Repair systems impacted by exploitation

 Inject false data if needed

 Hide communication methods through encryption and other means

 Document findings” [JM13].

However, there is no need for IT Director(s) to erase traces and plant backdoors. In my opinion, IT Director’s goal does not meet any of the above objectives. For this reason,

“Covering Tracks/Maintaining Access” phase was replaced by “Rectification” Phase, which meets IT Director(s)’ requirements and his need to improve security.

6.1. R

P

This phase is divided into three parts. (1) Rectification of an un-exploited vulnerability by installing patches and changing configurations and (2) Rectification of an exploited vulnerability where an attacker has gained access or (3) search for possible traces of an attack.

Our focus will be on the last part. The former is very well known to most IT Director(s), and System and Network administrators know exactly what to do about it. The second and third parts are much more demanding, and require different set of tools. However, the third part is the most challenging between the three. We will emphasize on the last part.

[ER11] asks the following question in one of his trainings: “How do you get rid of something you do not know if you already have?” The answer to this question is not simple and requires a lot of research and innovative thinking, but we will touch the surface of it in this module.

In this phase, IT Director(s) should employ the use of various Forensic tools to discover any planted malware, rootkit, or traces left by a hacker, spyware, and viruses. There is a lot of open-source Forensic tools, but only few of them will be useful in this phase to IT Director(s).

[JM13] mentions that “Forensics is important after identifying that your web application or other assets have been compromised, to avoid future negative impact” and this statement is in accordance with our suggestion to use Forensic tools to find traces of hackers. However, the challenge is where to look for these traces and what to collect.

In our scenario, we do not have a known victim machine, but we suspect the presence of a rootkit, backdoor, or a suspicious behavior on a system, or we want to keep our staff alerted by assuming a hacker was able to plant a backdoor.

What we will talk about is what an IT Director need to do, and not about a real incident that needs investigation, because the latter involves specialized people who are recognized in front

45 | P a g e of the court of law as experts in the domain. In other words, it is not an investigation of an attack; however, it is a search for a possible traces, backdoors, or rootkits in an environment.

However, the use of Forensic tools on all hosts will be tedious especially in enterprise organizations that might have thousands of hosts. Doing it randomly, also, will not be very efficient. So how can we decide on which hosts to run these tools?

First, these tools shall be used on suspected machines. The suspected machines will be determined based on the findings of two phases from our proposed model: Anti-Reconnaissance and the Vulnerability Assessment phases. E.g. if we got traces from one of the implemented solutions that we mentioned in Anti-Reconnaissance Phase about a host that was scanned for open ports by a suspect machine. Another example of a host scanned by a Security Analyst and found an unknown open port. These two hosts constitute two valid cases for investigation by the tools described in this module. These two hosts are considered as suspected machines and might indicate the presence of rootkits, backdoors, traces of a hacker, etc…

6.2. R

F

:

The following are the fundamentals that will be followed in this phase:

 Duration: No Limited duration. It is a continuous process. However, it gets feedback from Anti-Reconnaissance and Vulnerability Assessment tools.

 Devices: It will be limited to devices indicated by Anti-Reconnaissance and Vulnerability Assessment tools.

 Methods: Rectification shall not violate any internal policy.

 Notified parties: System owners, Incident Handling team, System, Application, and Network Admins.

 Level of access equivalent to root and Administrator. They need full access like Forensic investigator in order to examine the findings.

 Delivery of a final report for this phase and all other phases concluding with recommendations. Feedback to Anti-Reconnaissance tools’ users for any configuration changes to eliminate false positives.

6.3. O

/G

R

:

Goals and objectives from IT Director(s) angle are as follows:

 Minimize Data Loss if intruder traces were detected,

 Capture information and traces about intruders, if any

 Evaluate Risk value of any traces of infected systems and/or data leaked or compromised, and invoke Incident Handling procedure.

 Prevent any possibility to escalate privileges,

 Remove backdoors or rootkits, if any

 Repair infected system, if any.

46 | P a g e

 Document findings

6.4. T

A

There are several areas to examine and check to discover traces of a malicious activity. Below are the most important areas to analyze by Security Analyst followed by tools that can be used in these areas:

 File Analysis

 Executable file or services Analysis

 Resident Data Analysis

 Rootkits detection

 Log File manipulation

 Registry Analysis

There are other areas to analyze (e.g. memory), but that are executed by Forensics’

investigators, and requires very specialized skills and will not be covered in our project.

6.5. R

T

:

6.5.1. TCPDUMP/WINDUMP

TCPdump and its Windows counterpart Windump are free simple command line tools.

TCPdump/Windump are passive packet capturing tools that neither have the capacity to alter traffic on the network, nor make interpretations of what it captures.

TCPdump/Windump serve as a start point for non-experts to learn about a more advanced tool Wireshark. TCPdump has a couple of functionalities of Wireshark. TCPdump is available in Backtrack and Kali Linux in addition to other *nux and Windows operating systems.

6.5.2. WIRESHARK

Please refer to Penetration Testing Module for complete description of the tool.

6.5.3. CHKROOTKIT

This tool is considered as an Anti-virus or anti-malware for Linux systems [JM13].

ChkRootKit scans the file system and checks if a rootkit has been installed or any signs that indicate the presence of a rootkit. In addition, it checks for malware and Trojans on a suspected host. Chkrootkit is a command line tool. You cannot rely 100% on Chkrootkit to discover rootkits, but it usually points to possible problems. Other scanners like MD5deep along with chkrootkit is a better solution. Both could be classified as a HIDS because they scan a host to check for signs of un-customized public rootkits based on signatures and processes. One thing that chkrootkit can do for sure is discovering if Kali Linux or Backtrack installed version is infected or not. Chkrootkit is available in Kali Linux and other distributions.

47 | P a g e 6.5.4. MD5DEEP

MD5Deep is a tool that computes Hashes and message digests for one or more files. This will help security analysts to identify changes happened to system files and exe files and identify them. A package could be queried to check if any of its binaries were changed. In addition, it has the option to scan a directory of files and generate MD5 signatures for each file. The drawback of this tool that it does not have a GUI interface. Though it is based on CLI, it is simple to use. SHA/MD5 is similar to MD5Deep, but it has a GUI interface that is easy to use.

6.5.5. ROOTKIT REVEALER

RootKit Revealer is a great free option that can detect hidden registry keys, hidden files and rootkits also. F-Secure’s Blacklight is another free version but not as efficient as Rootkit Revealer. Both run on Windows Operating System.

“Tools like Rootkit Revealer, Vice, and F-Secure’s Blacklight are some great free options for revealing the presence of hidden files and rootkits” [PE13].

6.5.6. TSK(THE SLEUTH KIT)

TSK is an open-source simple command line tool that can look at specific disk, file information, raw files, and their metadata and analyze these findings. Autopsy is a graphical version of The Sleuth Kit. The analysis shows the time of what was modified, accessed, and changed which will make analysis easier. Hash values can also be compared to check if any system file or application code was changed. Autopsy is an open-source that runs on Windows, Linux, UNIX, and Mac Operating systems. It can analyses NTFS, FAT, HFS+, Ext3, UFS, and many other volume types.

Autopsy browser is part of the TSK (The Sleuth ToolKit) (http://www.sleuthkit.org/autopsy/download.php) to analyze Hard Disk images. This tool allows you to open various types of images at the same time showing different views of data using its web browser. With this tool, you can recover deleted files and directories for further investigation. Recovery of deleted files/directories might lead to an attacker who was able to delete log files or other files used in the attack process to cover attack traces. It also has the option to extract history, cookies, and bookmarks from several browsers (Firefox, Chrome, Safari, and Internet Explorer). It runs the commands and shows the results in a web browser.

Autopsy could be used with other forensic tools. Autopsy browser makes TSK easier to use, but it is valued as poor and limited when compared to commercial tools like EnCase and FTK.

6.5.7. F^ATBACK

FatBack is a *nix recovery tool from a problematic source in FAT file systems. It searches for data on a target, based on its content. It works with Single partitions or whole disks.

Its strength is the ability to search for any malicious program or deleted logs that was present on the target and deleted to cover attacker traces.

6.5.8. NIKTO

NIkto is a web-server vulnerability scanner. “After running a port scan and discovering a service running on port 80 or port 443, one of the first tools that should be used to

48 | P a g e evaluate the service is Nikto. Nikto automates the process of scanning web servers for out-of-date and unpatched software as well as searching for dangerous files and scripts that may be placed on web servers. Nikto is capable of identifying a wide range of specific issues and checks the server for misconfiguration” [PE13].

Nikto has many advantages: It is very fast, and base it scans on plug-ins that can be updated manually by security experts. It updates the Database with a simple command.

It supports Nmap output as input for its scan. Multiple targets can be included in a file to be scanned simultaneously. It supports Proxy and SSL (HTTPS). It is very simple to use and free.

Nikto has several limitations. It does not accept IP addresses as input. It does not support Digest or NTLM authentication, but it does support NTLM through Authorization proxy server installed. Since it is very fast, it will be detected by IDS’s and might crash the server if it is not able to handle the load. It is available in Linux and Windows.

49 | P a g e