SlideShare uma empresa Scribd logo

Host Intrusion Detection like a Boss

André Lima
André Lima

Introduction to the stealth mode functionality an open source Host Intrusion Detection System called Samhain and analysis on how exactly it applies it in the operating system.

Tecnologia
1 de 21
C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
$whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
$cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
$patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
But also... • Multi-admins environment
$samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
• File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
$samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
$samhain –h | grep ‘Stealth Mode’
$samhain –h | grep “Stealth Mode”
$samhain –h | grep “Stealth Mode”
env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
Take some precautions!
echo $Precautions Document the stealth name!
echo $Precautions $ history -c
echo $Precautions
echo $Precautions
echo $Precautions
echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html
$read Questions

Recomendados

Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsyncGaurav Mishra
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOpsFerenc Erki
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Unix_basics
Unix_basicsUnix_basics
Unix_basicsAlexander Polovinko
 

Recomendados

Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsyncGaurav Mishra
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOpsFerenc Erki
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Unix_basics
Unix_basicsUnix_basics
Unix_basicsAlexander Polovinko
 
New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentationrajsandhu1989
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScriptJohn De Goes
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...Puppet
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0bigendiansmalls
 
Terraform 9
Terraform 9Terraform 9
Terraform 9Jerry Singh
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Imad Hsissou
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"Maciej Lasyk
 
Cis222 9
Cis222 9Cis222 9
Cis222 9Russ Ferriday
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009FSCONS
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion ConferenceDefensiveDepth
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptographybehrad eslamifar
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developersAsko Soukka
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersNéstor Salceda
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Gosuke Miyashita
 
CandH Card-PROOF
CandH Card-PROOFCandH Card-PROOF
CandH Card-PROOFDavid Vumbaco
 
Stanford University
Stanford UniversityStanford University
Stanford UniversityBonnie Jenkins
 

Mais conteúdo relacionado

Mais procurados

New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentationrajsandhu1989
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScriptJohn De Goes
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...Puppet
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0bigendiansmalls
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Imad Hsissou
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"Maciej Lasyk
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009FSCONS
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion ConferenceDefensiveDepth
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developersAsko Soukka
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersNéstor Salceda
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Gosuke Miyashita
 

Mais procurados (20)

New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentation
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScript
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0
 
Terraform 9
Terraform 9Terraform 9
Terraform 9
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"
 
Cis222 9
Cis222 9Cis222 9
Cis222 9
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developers
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
 

Destaque

For everything
For everythingFor everything
For everythingjagerns
 
Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2cursopropedeutico2
 
RICHARD ADAMS RESUME
RICHARD ADAMS RESUMERICHARD ADAMS RESUME
RICHARD ADAMS RESUMERichard Adams
 
Software Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software DevelopmentSoftware Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software DevelopmentEswar Publications
 
Collection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidCollection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidMuhammad Tufail Khan
 
Sindhi society and culture
Sindhi society and cultureSindhi society and culture
Sindhi society and cultureDilbarhussain
 
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSsomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSomnath Sarkar
 

Destaque (16)

CandH Card-PROOF
CandH Card-PROOFCandH Card-PROOF
CandH Card-PROOF
 
Stanford University
Stanford UniversityStanford University
Stanford University
 
For everything
For everythingFor everything
For everything
 
Dog healt terminado
Dog healt terminadoDog healt terminado
Dog healt terminado
 
Tema 1. TIC
Tema 1. TICTema 1. TIC
Tema 1. TIC
 
Pee pe. lei estadual nº 15.533 de 23.6.2015
Pee pe. lei estadual nº 15.533 de 23.6.2015Pee pe. lei estadual nº 15.533 de 23.6.2015
Pee pe. lei estadual nº 15.533 de 23.6.2015
 
Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2
 
RICHARD ADAMS RESUME
RICHARD ADAMS RESUMERICHARD ADAMS RESUME
RICHARD ADAMS RESUME
 
Sky aangan plots
Sky aangan plotsSky aangan plots
Sky aangan plots
 
Inmuno trabajo
Inmuno trabajoInmuno trabajo
Inmuno trabajo
 
Software Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software DevelopmentSoftware Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software Development
 
Conexiones para Riego de Aluminio
Conexiones para Riego de AluminioConexiones para Riego de Aluminio
Conexiones para Riego de Aluminio
 
Collection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidCollection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela Zahid
 
Sindhi society and culture
Sindhi society and cultureSindhi society and culture
Sindhi society and culture
 
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSsomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
 
HYMER_Nova_2010_I.pdf
HYMER_Nova_2010_I.pdfHYMER_Nova_2010_I.pdf
HYMER_Nova_2010_I.pdf
 

Semelhante a Host Intrusion Detection like a Boss

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Network Securities.pptx
Network Securities.pptxNetwork Securities.pptx
Network Securities.pptxatharkaleem2
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open SourceMichael Ducy
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 

Semelhante a Host Intrusion Detection like a Boss (20)

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Network Securities.pptx
Network Securities.pptxNetwork Securities.pptx
Network Securities.pptx
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Host Intrusion Detection like a Boss

  • 1. C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  • 2. $whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  • 3. $cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
  • 4. $patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
  • 5. But also... • Multi-admins environment
  • 6. $samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
  • 7. • File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
  • 8. $samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
  • 9. $samhain –h | grep ‘Stealth Mode’
  • 10. $samhain –h | grep “Stealth Mode”
  • 11. $samhain –h | grep “Stealth Mode”
  • 12. env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
  • 14. echo $Precautions Document the stealth name!
  • 15. echo $Precautions $ history -c
  • 19. echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
  • 20. echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html