SlideShare une entreprise Scribd logo

Host Intrusion Detection like a Boss

André Lima
André Lima

Introduction to the stealth mode functionality an open source Host Intrusion Detection System called Samhain and analysis on how exactly it applies it in the operating system.

Technologie
1  sur  21
C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
$whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
$cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
$patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
But also... • Multi-admins environment
$samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
• File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
$samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
$samhain –h | grep ‘Stealth Mode’
$samhain –h | grep “Stealth Mode”
$samhain –h | grep “Stealth Mode”
env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
Take some precautions!
echo $Precautions Document the stealth name!
echo $Precautions $ history -c
echo $Precautions
echo $Precautions
echo $Precautions
echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html
$read Questions

Recommandé

Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsyncGaurav Mishra
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOpsFerenc Erki
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Unix_basics
Unix_basicsUnix_basics
Unix_basicsAlexander Polovinko
 

Recommandé

Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsyncGaurav Mishra
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOpsFerenc Erki
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Unix_basics
Unix_basicsUnix_basics
Unix_basicsAlexander Polovinko
 
New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentationrajsandhu1989
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScriptJohn De Goes
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...Puppet
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0bigendiansmalls
 
Terraform 9
Terraform 9Terraform 9
Terraform 9Jerry Singh
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Imad Hsissou
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"Maciej Lasyk
 
Cis222 9
Cis222 9Cis222 9
Cis222 9Russ Ferriday
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009FSCONS
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion ConferenceDefensiveDepth
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptographybehrad eslamifar
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developersAsko Soukka
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersNéstor Salceda
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Gosuke Miyashita
 
CandH Card-PROOF
CandH Card-PROOFCandH Card-PROOF
CandH Card-PROOFDavid Vumbaco
 
Stanford University
Stanford UniversityStanford University
Stanford UniversityBonnie Jenkins
 

Contenu connexe

Tendances

New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentationrajsandhu1989
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScriptJohn De Goes
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...Puppet
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0bigendiansmalls
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Imad Hsissou
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"Maciej Lasyk
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009FSCONS
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion ConferenceDefensiveDepth
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developersAsko Soukka
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersNéstor Salceda
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Gosuke Miyashita
 

Tendances (20)

New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentation
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScript
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0
 
Terraform 9
Terraform 9Terraform 9
Terraform 9
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"
 
Cis222 9
Cis222 9Cis222 9
Cis222 9
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developers
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
 

En vedette

For everything
For everythingFor everything
For everythingjagerns
 
Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2cursopropedeutico2
 
RICHARD ADAMS RESUME
RICHARD ADAMS RESUMERICHARD ADAMS RESUME
RICHARD ADAMS RESUMERichard Adams
 
Software Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software DevelopmentSoftware Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software DevelopmentEswar Publications
 
Collection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidCollection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidMuhammad Tufail Khan
 
Sindhi society and culture
Sindhi society and cultureSindhi society and culture
Sindhi society and cultureDilbarhussain
 
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSsomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSomnath Sarkar
 

En vedette (16)

CandH Card-PROOF
CandH Card-PROOFCandH Card-PROOF
CandH Card-PROOF
 
Stanford University
Stanford UniversityStanford University
Stanford University
 
For everything
For everythingFor everything
For everything
 
Dog healt terminado
Dog healt terminadoDog healt terminado
Dog healt terminado
 
Tema 1. TIC
Tema 1. TICTema 1. TIC
Tema 1. TIC
 
Pee pe. lei estadual nº 15.533 de 23.6.2015
Pee pe. lei estadual nº 15.533 de 23.6.2015Pee pe. lei estadual nº 15.533 de 23.6.2015
Pee pe. lei estadual nº 15.533 de 23.6.2015
 
Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2
 
RICHARD ADAMS RESUME
RICHARD ADAMS RESUMERICHARD ADAMS RESUME
RICHARD ADAMS RESUME
 
Sky aangan plots
Sky aangan plotsSky aangan plots
Sky aangan plots
 
Inmuno trabajo
Inmuno trabajoInmuno trabajo
Inmuno trabajo
 
Software Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software DevelopmentSoftware Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software Development
 
Conexiones para Riego de Aluminio
Conexiones para Riego de AluminioConexiones para Riego de Aluminio
Conexiones para Riego de Aluminio
 
Collection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidCollection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela Zahid
 
Sindhi society and culture
Sindhi society and cultureSindhi society and culture
Sindhi society and culture
 
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSsomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
 
HYMER_Nova_2010_I.pdf
HYMER_Nova_2010_I.pdfHYMER_Nova_2010_I.pdf
HYMER_Nova_2010_I.pdf
 

Similaire à Host Intrusion Detection like a Boss

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Network Securities.pptx
Network Securities.pptxNetwork Securities.pptx
Network Securities.pptxatharkaleem2
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open SourceMichael Ducy
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 

Similaire à Host Intrusion Detection like a Boss (20)

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Network Securities.pptx
Network Securities.pptxNetwork Securities.pptx
Network Securities.pptx
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Dernier (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Host Intrusion Detection like a Boss

  • 1. C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  • 2. $whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  • 3. $cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
  • 4. $patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
  • 5. But also... • Multi-admins environment
  • 6. $samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
  • 7. • File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
  • 8. $samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
  • 9. $samhain –h | grep ‘Stealth Mode’
  • 10. $samhain –h | grep “Stealth Mode”
  • 11. $samhain –h | grep “Stealth Mode”
  • 12. env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
  • 14. echo $Precautions Document the stealth name!
  • 15. echo $Precautions $ history -c
  • 19. echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
  • 20. echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html