I. dynamic analysis tools A. two purposes ------------------------------------------ TWO KINDS OF DYNAMIC ANALYSIS TOOLS 1. For vulnerability analysis code implementation problems attempts to find: - XSS - buffer overruns - format strings - integer overflow - command injection - information leakage - poor usability - too much privilege - failure to protect stored data - sins of mobile code - failing to protect network traffic - improper use of PKI and SSL - trusting network name resolution 2. For investigating possible malware finds information about a program: - see registry, file, network, process, and thread activity - what DLLs it uses - what DNS and network traffic - what internet services it uses ------------------------------------------ Will a dynamic vulnerability analysis find design flaws? Is it possible to miss some behaviors? Will a tool tell if a program is malware? II. analysis tools for detecting vulnerabilities A. goals ------------------------------------------ GOALS OF DYNAMIC CHECKERS (TESTING) - Find potential vulnerabilities (100% precision, no false positives) for - Order warnings by severity ------------------------------------------ 1. examples a. penetration testing ------------------------------------------ PENETRATION TESTING Hacking to see if a system is vulnerable - from outside - Look for (top N) vulnerabilities - scanning tools - from inside - insecure passwords - unencrypted communication - outdated software - Social engineering tests Need PERMISSION from system owner! ------------------------------------------ What can happen if you don't get permission? i. ZAP tool ------------------------------------------ EXAMPLE TOOL: OWASP'S ZAP See https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project - free, open source - only needs Java 7 Quick Start Attack - finds all web pages beneath a URL - attacks all of them Manual-guided attack - proxy your browser via ZAP Can be used in continuous integration ------------------------------------------ ii. Metasploit network vulnerability tool ------------------------------------------ NETWORK VULNERABILTY TOOL Metasploit See http://www.metasploit.com/ - can find network attacks - finds attacks and exploits - finds weak credentials - can simulate phishing attacks ------------------------------------------ b. web application problems ------------------------------------------ VEGA: TESTING FOR XSS, SQL INJECTION, ETC. See https://subgraph.com/vega/ - Automated scanner - Interecepting Proxy ------------------------------------------ c. SQL injection attacks ------------------------------------------ TOOLS FOR FINDING SQL INJECTIONS w3af: See http://w3af.org/ - Scripting to automate finding vulnerabilities - Fuzzing engine SQLMap: See http://sqlmap.org/ ------------------------------------------ d. weak password detection ------------------------------------------ TOOLS FOR FINDING PASSWORDS John the Ripper: http://www.openwall.com/john/ ------------------------------------------ e. fuzz testing ------------------------------------------ FUZZ TESTING Goal: look for error conditions triggered by Procedure: 1. Generate inputs - at random, or - using "fuzz vector" of data (perhaps with mutation) 2. Record what inputs lead to ------------------------------------------ ------------------------------------------ FUZZ TESTING TECHNIQUES - Recursive: replacing part of a request with all possible e.g., http://www.example.com/8302fa3b using all hex digits generates - Replacive: replacing part of a request with a fixed value e.g., using ------------------------------------------ Which do you think works better, random inputs or predefined vectors? ------------------------------------------ WEB SERVICES FUZZ TESTING OWASP WSFuzzer, for SOAP, see: https://www.owasp.org/index.php/ Category:OWASP_WSFuzzer_Project - automates SOAP penetration testing OWASP JBroFuzz, for HTTP or HTTPS, see: https://www.owasp.org/index.php/JBroFuzz - generates requests, sends them, records responses - human guided: - selects fuzzers - looks at output to see what happened ------------------------------------------ 2. practice ------------------------------------------ PRACTICE WEBSITES For penetration testing See https://www.owasp.org/index.php/ OWASP_Vulnerable_Web_Applications_Directory_Project/ Pages/Online e.g., hackthissite.org ------------------------------------------ III. tools for analysis of potential malware in binaries A. preparation ------------------------------------------ PREPARAIONS FOR DYNAMIC ANALYSIS Need a safe environment to - a virtual machine (VM) - air-gapped network Virtual Machines: - VMWare - VirtualBox - Parallels - Microsoft Virtual PC - Microsoft Hyper-V - Xen See http://www.cs.ucf.edu/~leavens/ CIS4615/analysis-tools.shtml#dynamic and chapter 2 of Practical Malware Analysis for setting up your own VM ------------------------------------------ What problems could using a VM cause? ------------------------------------------ TIPS FOR VMWARE - make clones and snapshots - connect the network VM > Settings > Hardware in Network Adapter, use NAT - download your favorite browser first OR make a shared directory with host VM > Settings > Options in Shared Folders ------------------------------------------ B. Running DLLs ------------------------------------------ RUNNING DLLs To run a Dynamic Link Library (DLL) do rundll32.exe DLLname,ExportName args where ExportName is the name of an entry point (use PEview or PE Explorer to find) ------------------------------------------ C. dynamic analysis tools 1. sandboxes a. Threat Analyzer (GFI) Sandbox ------------------------------------------ THREAT ANALYZER SANDBOX See http://www.threattracksecurity.com/ enterprise-security/ malware-analysis-sandbox-tools.aspx Attempts to automate malware analysis Advantages: - quick results - automates much of the work Drawacks: - doesn't use command line options - doesn't get network inputs ------------------------------------------ 2. procmon ------------------------------------------ PROCMON Process Monitor See https://technet.microsoft.com/en-us/ sysinternals/bb896645.aspx Monitors: - file system, - registry - processes/threads - stacks Principles: - records a set of events and shows a filtered subset of them - by default includes all events - shows you all events in your filter - include filters - exclude filters subtract from view - can save events to a file, then analyze later using - can erase before starting a trace - best to use a backing file so it doesn't die when too many events happen ------------------------------------------ ------------------------------------------ PROCMON DEMO - start procmon - from the Options > "Column Selection" menu add the "Command Line" column maybe reorder the columns (drag with mouse) - Select the autoscroll option button - show only file events (top, file cabinet) 1. Start a cygwin terminal, see all the file events 2. Switch to having procmon show registry events 3. Note the time 4. In the terminal window do touch junk see the registry events happening 4. Switch to showing file events turn off autoscroll and go back to see the file events (or use find) 5. Switch to showing network and then thread activity 6. Back to file activity, filter for operations containing File, then Directory 7. Show Tools > "File Summary..." and Tools > "Registry Summary..." 8. Show how to save a file and open it ------------------------------------------ What does it mean if you aren't seeing any events? What should you do if you aren't seeing events, change the filter! They are already there! 3. process explorer ------------------------------------------ PROCESS EXPLORER Part of the Windows sysinternals suite See https://technet.microsoft.com/en-us/ sysinternals Lists: active processes DLLs loaded by processes Principles: - gives instantaneous view of processes and their properties Look for: new processes changed binaries (verify button) compare strings in executable (memory) vs. strings on disk (image) processes launched by opening documents ------------------------------------------ Q: What is a process in Windows? What is a process in Windows? What is a thread? What does it tell you if there are new processes? What does it tell you if some of the binaries are not genuine? What does it tell you if the strings change? ------------------------------------------ PROCESS EXPLORER DEMO - Use View > "Select Columns" to add "Command Line", Company Name", and "Verified Signer" - start cygwin terminal - run echo hi | cat - double click on "bash.exe", open image tab - press the verify button - open the strings tab - compare strings in image and memory - right click on bash and select "depends..." ------------------------------------------ 4. Dependency Walker ------------------------------------------ DEPENDENCY WALKER Can be launched from Process Explorer Process Explorer can also search for DLLs Demo: - launch from process explorer on bash.exe - Show full paths using "C:\" button ------------------------------------------ Why would you want to look for a DLL in a process? 5. Registry Snapshots with Regshot ------------------------------------------ COMPARING REGISTRY SNAPSHOTS WITH REGSHOT Idea: take a snapshot of the registry - at beginning of program execution - later during execution then see what changed ------------------------------------------ 6. faking a network ------------------------------------------ FAKING A NETWORK Why? - see what program does on the net - intercept (and turn on) network control ------------------------------------------ Why not just turn off the network? Why not use the real network? a. ApateDNS ------------------------------------------ APATEDNS Spoofs DNS responses you specify the response See mandiant.com/products/research/ mandiant_apatedns/download Can redirect to local host or fake internet ------------------------------------------ b. Netcat ------------------------------------------ NETCAT Used for: port scanning, tunneling, proxying, port forwarding, etc. ------------------------------------------ c. WireShark ------------------------------------------ WIRESHARK Used for sniffing packet capture logging ------------------------------------------ d. INetSim ------------------------------------------ INETSIM Linux-based simulation of network services Need to install in a Linux VM Emulates lots of services records: - inbound requests - connections Have to run in Linux ------------------------------------------ D. usage receipe ------------------------------------------ START WITH BASIC STATIC ANALYSIS 0. get the sample into the VM's directories 1. Enable network (NAT interface). 2. Upload to virustotal.com - get MD5 and results 3. Get information from PEView - when compiled - how to start it (for a DLL)? 3. Use strings & PEiD to see if packed - is it a .NET program or a PE file? - what entropy? 4. Use dependency walker to see DLLs used - is it directly calling low level DLLs? - Does it do networking? - Can it change the registry? - Does it use mutexes? Questions to answer: - Does it look like malware? - known? - cyrptic strings? - packed? ------------------------------------------ ------------------------------------------ USE OF BASIC DYNAMIC TOOLS 0. Isolate the VM instance - Make sure you have a backup/clone! - Turn off network (use VMnet0) - Disable file shares 1. Start the process explorer 2. Run procmon - enable file and registry tracking - Command Line filter to look for the executable name 3. Set up virtual network - start Linux to run INetSim - Edit Menu > Virtual Network Editor - run ApateDNS in guest OS 4. Log network traffic using wireshark 5. Take a snapshot of the registry (regshot) 6. Start running it - You don't need to authorize it... Questions to answer: - Does it write files/mutexes? especially - Does it change the registry? especially - Does it send information on the network? ------------------------------------------ E. practice ------------------------------------------ PRACTICE Try the Labs for chapter 3 - What imports and strings? - Is it packed? - What host-based indicators are there? - Are there any network signatures? ------------------------------------------