Week One
The first few days were spent getting accustomed to OGI. We set up our workspace and then started to attack our first big project: understanding how hackers are able to compromise the security of a system and what tools they use. I am in the process of digesting a wonderful (but long!) book about hacking methods called Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis. We are also preparing a Powerpoint presentation on the phases and methods of an attack. I haven't had very much experience in this aspect of Computer Science before, so I'm very intimidated by it, yet still determined. It is unbelievable how many different methods there are to compromise a system. I have learned so much this week. I almost have that "My brain is full!" feeling.
Week Two
The rough draft of the Powerpoint presentation is finished. It is about 150 slides on methods hackers can use to take control of a system. Due to the nature of the slides, I am reluctant to publish them on my website, as they could easily show someone how to break into a system. I also started a summary paper which lists the name of the tool, its purpose, what OS it runs on, the URL where it is avaliable, and comments about the program. We also set up our computers and partitioned the hard drives with Fedora 2 and Windows XP Professional so that we are able to use most of the tools we have been researching. The Fedora OS seems awkward at first (I don't have a lot of UNIX experience), but I am slowly becoming proficient with it. The most awkward part of Fedora (or Linux for that matter) is the installation of new programs. More often than not, there are errors, such as files which need to be configured or missing dependencies. It can be quite frustrating at times. I noticed that a lot of the URL's for the programs are outdated (Counter Hack was published in 2002), so I will have to find the locations of the new programs. I did install Nmap and Firewalk, as well as Sam Spade. The Nmap and Sam Spade installations are fairly straigtforward. Firewalk had a few dependencies that need to be installed first, so I spent a good deal of time trying to find the correct versions of the files (i.e. - libdnet). Cheops has been giving me lots of weird errors, but I think this is due to some external dependencies I am missing. It's going to take a bit of work to hunt down some of these programs, but I am hopeful!
Week Three
I have spent a lot of time on the Internet this week, trying to find where a good portion of these programs have moved to since 2002. Quite a few of the sites have changed their URL's or completely shut down. Fortunately, even though the sites may have been shut down, there are still versions of the programs available elsewhere on the Internet. I have found a couple of websites that have a variety of different tools, which has helped in the hunt for some of the less common programs. It is interesting to note that the same tools the hackers use are the same tools that administrators use to test the security of their systems and networks. Thus, I have updated the URL's on the slides, as well as the URL's on the summary paper. I decided to download only some of these programs, as there are some tools I have researched that I don't need (for instance, I don't think I will need a war dialer). I'm trying to focus on programs that are used for gaining or maintaining access to another machine. I installed some password crackers and session-hijacking tools, as well as a port scanner. There are so many different programs out there and most of the major programs have multiple useful features, which reduces the number of tools that are necessary to compromise a system. I have also been experimenting with TCPdump, a tool that prints out the headers of TCP packets moving across a network interface. It is interesting to watch the data that travels through ports (80 for HTTP, 5190 for AIM, etc.). I also got Cheops to work after downloading multiple versions of different dependencies, but realized that Nmap and traceroute can do the same thing (Oh well. At least Cheops creates a pretty picture). I'm starting to have a pretty good idea on what types of tools I would need to gain access to another machine. I still have to work out the bugs in the installation of a few more programs.
Week Four
I managed to install most of the programs on my computer, with the exception of two that seem impossible (Covert TCP and Reverse WWW Shell). Jen and I met with Dr. Feng and reviewed the slides and made some corrections. Aside from rewriting them to be less verbose, we added more information about vulnerability scanners (like Nessus), how some of the network mapping tools work (I used TCPdump on Cheops) and how to counter the ACK storm created by session hijacking. We also added information about how fragmenting packets allows one to slip past the Intrusion Detection System. After the slides were finished, we presented the first half of the material to the people at the Systems Software Lab. The presentation went well, but there were so many slides that we could not present them in their entirety. There is a second part of the presentation scheduled for next week. We also set up the back-end for the Forensix system. It actually took us some time to find a working system that would cooperate and to then install Fedora 2. I have also been doing more investigation into the stack-based buffer overflow attack. There are many resources available on this common technique. The attack can be complex, so I am in the process of analyzing multiple resources so that I may gain a more complete understanding on how the stack-based buffer overflow attack works.
Week Five
We are STILL not finished with presenting our information about hacking. There are so many different methods and considerations in compromising a system. This week we focused on how to gain access to the target system. We should hopefully be finished with the presentation next week. I have been doing more research on the stack-based buffer overflow attacks and how to protect against them. We have also been struggling with setting up the Forensix system. We started with a fresh install of Fedora 2 on the front end, but we needed to change the kernel to an earlier version. This is easier said than done. I spent a significant amount of time fighting with installing the 2.4.20 version of the Linux kernel. After many unsuccessful attempts, I installed Red Hat version 8 instead. This was much easier to do. We also now have the Forensix files on the front and back ends and we will so be able to hack.... uhh.... I mean collect data soon. I am anxious to take the material I have been researching and make it more concrete. I now have a more complete understanding on how the system works. We will already know quite a bit of information about the target system (like the IP address and the OS), so we won't need to use a lot of the tools. The picture below is of the small army of interns working at OGI this summer:
Week Six
We gave the last installment of the presentation on hacking this week. We covered maintaining access and covering tracks (including topics such as rootkits and covert channels). We are finally finished with the presentations and we can begin to utilize the attacks we have learned so much about. We also got the Forensix system up and running (this was very time consuming, as nothing would cooperate). Jen and I have also decided our roles in the research -- I will be the devious hacker, and Jen will try to determine my attacks and note the signatures of the attacks.
Week Seven
I am now reading another book: Exploring Expect, by Don Libes. I am now studying Expect, a program used to control interactive applications. I will use Expect to write a script that uses many different methods of attack to compromise a system. Expect is written on Tcl, a language used for embedding in applications. I am also learning the details on how the Forensix system works. Forensix has a secure backend and a honeypot frontend. When the frontend is attacked, it creates a series of system calls, depending on what flaw in the system the attacker exploited. Each time a system call is made on the frontend, the call is directly logged on the backend and stored in an SQL database on the backend. By analyzing the system calls, one can recreate what occured on the front end.
Week Eight
This week was a short one due to the SySL beach trip and my sister coming to visit. I finished the book on Expect. I'm now working on writing scripts that automates some of the attacks. I also spent some time attempting to use stack smashing to spawn a root shell. Unfortunately, the program WILL spawn a shell but I am having a hard time finding a program to use the exploit with. Since the attack is so old, I'm willing to speculate that most programs now are able to defend against stack smashing (I had NO luck trying to use the exploit on Xterm).
Week Nine
I spent more time this week trying to smash some stacks. I did more research on stack smashing. Again, I had no luck. I changed the kernel to an older version (time consuming, but this time I was successful), and I noticed that I got different results when I used an unpatched kernel. I was able to successfully get the mremap local exploit to spawn a root shell. Yay!
Week Ten
On Monday, I finished up all of my research. We boarded the plane for San Diego on Tuesday. The rest of the week was spent at the USENIX conference, attending the sessions. One of the most interesting presentations (and most relevant to our research) was by Gary McGraw, entitled Exploiting Software. He pointed out how software engineers aren't taught how to write secure software.