data capture in encrypted environments with sebek
TRANSCRIPT
![Page 1: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/1.jpg)
Data Capture in Encrypted Environments with Sebek
![Page 2: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/2.jpg)
Speakers
Edward Balas Researcher at Indiana University Member of the Honeynet Project
![Page 3: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/3.jpg)
This material is based on research sponsored by the Air Force Research Laboratory under agreement number F30602-02-2-0221. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon.
![Page 4: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/4.jpg)
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
![Page 5: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/5.jpg)
Motivation
Observe intruders even in encrypted environments
Do so without being noticed.
Monitor all attacker activity, not just keystrokes
![Page 6: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/6.jpg)
Historical techniques
Serial line monitoring
Packet sniffing Ethereal Snort
Trojaned binaries Bash SSH
![Page 7: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/7.jpg)
Limits of existing techniques
Network based capture limit you to black box system analysis. Unable to monitor encrypted sessions
presuming no key escrow
Trojaned binaries Easy to detect Easier to avoid
![Page 8: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/8.jpg)
Next step in the arms race
Data Capture needs to circumvent encryption.
Application trojaning is insufficient.
Time to head for the Kernel Space .
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
![Page 9: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/9.jpg)
A kernel based Data Capture tool
How do we gain access to the data of interest?
How do we get this data to a server without the attacker detecting it?
Can we make the system impossible to detect?
![Page 10: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/10.jpg)
Sebek
Uses kernel space “privilege” to gain access to all data read by intruder.
Exports this data to remote server in covert manner.
It can be detected and disabled, but it is a step in the right direction.
![Page 11: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/11.jpg)
Typical deployment
![Page 12: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/12.jpg)
Getting access to the data
Replace the read() system call in the kernel
Have new syscall record interesting data
Just change the function pointer in the system call table.
![Page 13: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/13.jpg)
What the read hijack looks like
![Page 14: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/14.jpg)
Getting the data to the server
We don’t want data export slowing down the host. UDP works well in this situation
We don’t want a hacker to see or block these packets. Using the standard socket interface wont work Sebek generates packet itself and interacts
directly with ethernet driver.
![Page 15: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/15.jpg)
What the data export looks like
![Page 16: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/16.jpg)
Capabilities
Keystroke monitoring
SCP file transfer recovery
Burneye password recovery
Monitor network inactive processes
![Page 17: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/17.jpg)
Anti-Sebek Foo
The weak points in
Sebek’s Armor
![Page 18: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/18.jpg)
Detecting Sebek
Static Fingerprinting via kernel memory /proc/kcore kernel space via insmode find data structures, symbols etc. a true wealth of data
Dynamic performance profiling Cause sebek to export packets if sebek is running 1,000,000 reads will take longer
than if it is not running check to see if network latency increases as a result
of Packets Per Second TX
![Page 19: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/19.jpg)
Evading Sebek
One way to evade sebek is to not use the read call.
Dornseif, Holz and klien outline how to access files with the mmap call
not so useful in traditional shell and pipe environments
would work for custom malware etc.
![Page 20: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/20.jpg)
Disabling Sebek
J. Cory outlined a method to disable Sebek by rewriting syscall table. works for kernel module w/ syscall jacking wont for a kernel patch
Dornseif, Holz and Klien simply called the cleanup_module() call. also fails in a kernel patch
![Page 21: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/21.jpg)
Anti-Sebek Bibliography
M. Dornseif, T. Holz, C. Klien, “NoSEBrEak - Attacking Honeypots”, Proceedings of the 2004 IEEE Workshop on Information Assurance and Security.
J. Corey, “Advanced Honeypot Identification” Sept 2003, http://www.phrack.org/fakes/p62-0x07.txt
J. Corey, “Advanced Honeypot Identification and Exploitation” Jan 2004, http://www.phrack.org/fakes/p63/p63-0x09.txt
![Page 22: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/22.jpg)
What can we do about this?
rollout a patch based Sebek. monitor the mmap call / associated page
faults? futher obfuscate contents of sebek
memory Trojan the /proc/kcore device and the
insmod related syscalls?
![Page 23: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/23.jpg)
The Sebek Server.
Operates as a packet sniffer.
Uploads data into mysql database
Outputs keystroke logs
Web Interface allows one to browse all data
![Page 24: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/24.jpg)
Data Analysis
Example shows a non-root user copying a file to his home directory.
The file is a Burneye protected copy of a ptrace exploit.
The user runs the binary and gains root access.
![Page 25: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/25.jpg)
Analysis Questions
1. Can we recover the SCPed file using the web interface?
2. Can we determine the password used to run the Burneye binary?
3. Can we determine exactly when the user gained root access?
![Page 26: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/26.jpg)
Main Page: All hosts summary
![Page 27: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/27.jpg)
Looking at Keystrokes
![Page 28: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/28.jpg)
Closer look at “scp” process
![Page 29: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/29.jpg)
Using the SCP decode option
![Page 30: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/30.jpg)
Looking at the SCPed file
We have now recovered a file named malware from PID 1264 FD 0.
After downloading, we examined the file with strings.
“TEEE burneye - TESO ELF Encryption Engine”
This is a burneye binary
![Page 31: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/31.jpg)
Lets take a closer look at malware’s activity
![Page 32: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/32.jpg)
I wonder what the password is?
![Page 33: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/33.jpg)
Hmm... this looks bad
![Page 34: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/34.jpg)
Back to the Questions
We were able to recover the file named malware, which was transfered using SCP.
The password used to run malware was “secret” The blackhat user gained root access
Timestamp 2003-7-23 20:04:01 Process ID 1318 File Descriptor 0
![Page 35: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/35.jpg)
The Future
Ability to compile directly into kernel Make harder to disable anti-anti-Sebek techniques provide a better facility for users to
express what data they want to collect. improved data analysis.
![Page 36: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/36.jpg)
The Future...
Develop IDS that is based on Sebek Data. Merging this IDS with Systrace to protect
systems Using this IDS to support Honeytokens
![Page 37: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/37.jpg)
Where Can I learn more?
http://www.honeynet.org/papers/sebek.pdf
![Page 38: Data Capture in Encrypted Environments with Sebek](https://reader036.vdocument.in/reader036/viewer/2022062314/56649ebf5503460f94bc9225/html5/thumbnails/38.jpg)
Where Can I get Sebek
www.honeynet.org/tools/sebek
For questions or comments contact Edward Balas ebalas at iu.edu