Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Similar documents
Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

CTS2134 Introduction to Networking. Module Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Chapter 11 Phase 5: Covering Tracks and Hiding

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Design Principles Firewall Characteristics Types of Firewalls

F-SECURE MESSAGING SECURITY GATEWAY

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Computer Networks. Secure Systems

Chapter 11 Cloud Application Development

Introduction of Intrusion Detection Systems

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewalls. Chapter 3

IP Filter/Firewall Setup

CSCI Firewalls and Packet Filtering

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Introduction to Computer Security Benoit Donnet Academic Year

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

Firewall Firewall August, 2003

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewalls (IPTABLES)

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls, Tunnels, and Network Intrusion Detection

GoToMyPC Corporate Advanced Firewall Support Features

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Description: Objective: Attending students will learn:

Proxies. Chapter 4. Network & Security Gildas Avoine

Security. TestOut Modules

Access control policy: Role-based access

Security threats and network. Software firewall. Hardware firewall. Firewalls

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

GregSowell.com. Mikrotik Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Networking for Caribbean Development

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Network Security Topologies. Chapter 11

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Bypassing firewalls Another hole in the wall ;-) Présentation pour «La nuit du hack» le 13 Juin 2009

Intro to Firewalls. Summary

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Firewalls. Network Security. Firewalls Defined. Firewalls

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Connecting an Android to a FortiGate with SSL VPN

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

RemotelyAnywhere. Security Considerations

Internet Security Firewalls

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Solution of Exercise Sheet 5

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CS5008: Internet Computing

How To Configure SSL VPN in Cyberoam

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Chapter 8 Security Pt 2

Firewalls, IDS and IPS

Chapter 17. Transport-Level Security

allow all such packets? While outgoing communications request information from a

Lecture 23: Firewalls

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Network Defense Tools

General Network Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

1. Firewall Configuration

Chapter 8 Network Security

SECURITY ADVISORY FROM PATTON ELECTRONICS

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

File Transfer Protocol (FTP) & SSH

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Securing Networks with PIX and ASA

Altus UC Security Overview

Security Technology: Firewalls and VPNs

Print Audit Facilities Manager Technical Overview

Computer and Network Security Exercise no. 4

8 steps to protect your Cisco router

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

TELNET CLIENT 5.11 SSH SUPPORT

Setting Up Scan to SMB on TaskALFA series MFP s.

Cyber Essentials. Test Specification

Transcription:

Reverse Shells Enable Attackers To Operate From Your Network Richard Hammer August 2006

Reverse Shells? Why should you care about reverse shells? How do reverse shells work? How do reverse shells get installed on your systems? What covert channels do reverse shells use? How do you detect reverse shells on your network?

Reverse Shells? (Cont) Will firewall egress rules stop reverse shells? How do you test firewall egress rules? Is there a positive use for reverse shells? How do you protect your network against reverse shells?

Why should you care about reverse shells? Reverse shells give attackers full control of the systems they are installed on Reverse shells allow attackers to collect and send your data out of your network Reverse shells allow attackers to capture usernames and passwords Reverse shells allow attackers to scan your network from the inside

What the heck is a shell? Command line user interface for a computer Users enter text commands for the computer system to execute

How do reverse shells work? Reverse shells allow access to internal systems without having incoming access to the network Reverse shells force an internal system to actively connect out to an external system

How do reverse shells get installed on your systems? Physical access Reverse shell installed using auto-play feature Skilled intruder with private physical access can defeat all installed security mechanisms and install reverse shells Insider installing reverse shells Social Engineering someone into installing the reverse shell program Users executing e-mail attachments that install the reverse shell program Users downloading and executing reverse shell program Legitimate programs that can act like reverse shells

What covert channels do reverse shells use? Reverse shells can operate using any protocol/port combination that is allowed out of your network Netcat any TCP/UDP port Cryptcat - any TCP/UDP port with encryption Loki & Ping Tunnel - ICMP Reverse WWW Shell HTTP DNS Tunnel DNS Sneakin Telnet Stunnel SSL Secure Shell - SSH Custom Reverse Shell???

Reverse WWW Shell Attacker configures variables External system IP address Port Time of day to execute Proxy information if needed Attacker must find a way to execute on the internal system

Application aware firewalls and proxies Application aware firewalls and proxies are capable of making filtering decisions based on the embedded application data in the network traffic An application aware firewall will not pass telnet traffic through the http port When picking a reverse shell to exploit your network the attacker must know if your perimeter protection is application aware Do you know if your perimeter protection is application aware?

Will firewall egress rules stop reverse shells? Egress filters will stop reverse shells if the protocol/port combination is closed Application aware firewalls and proxies will stop reverse shells that do not communicate using the expected application layer protocol Reverse shell programs are a good reason to only open outgoing service ports required for business Are egress filters installed on your network?

How do you test firewall egress rules? Port scanning the firewall from the inside is not a valid test of egress filter rules Testing egress rules requires passing traffic through the firewall from the inside to a system outside the firewall Application aware firewalls and proxies must have the correct application layer traffic passed through them for a valid test

How do you test firewall egress rules?

Is there a positive use for reverse shells? Reverse shells can be used to test firewall filter rules Reverse shells can be used to test if application firewalls and proxies are really application aware Reverse shells can be used to test IDS rules Reverse shells can be used to work from home and not bother getting official access to the company network

Netcat Example Netcat can push a shell to another system: Using any TCP/UDP port Through any non-application aware firewall or proxy Running on most operating systems

How do you detect reverse shells on your network? Detecting working reverse shells is difficult Scrutinize drop logs on firewall and proxies Tune IDS to alert on traffic that is not expected E-mail server that starts surfing the web DNS server that telnets out of the network Host based firewall logs Check server baselines against known good configurations

SSH - Friend or Foe? SSH can tunnel any TCP traffic -R reverse port forwarding Hides traffic inside an encrypted tunnel Network traffic at perimeter looks like SSH

How do you protect your network against reverse shells? Restrict physical access to your network Only allow outgoing services that are required for your business Install application aware host or client based firewalls Train users to: NOT execute e-mail attachments they are NOT expecting NOT download and install unauthorized programs

How do you protect your network against reverse shells? (Cont) Install application aware firewalls and proxies Authenticating outgoing web proxies Tune IDS rules for the specific network segment it is installed on Split DNS Separate incoming and outgoing e-mail servers Dedicated servers

Conclusion Reverse shell programs pose a real threat to your network Application aware firewalls help protect against reverse shell exploits Egress filters help protect against reverse shells Detecting reverse shells is difficult Protecting your network from reverse shell exploits requires an understanding of how they work and the protocols they use Your network perimeter is secured from the outsidein, now start looking from the inside-out

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information