Malicious System Administration “if you want to backup your files, use the ‘rm’ utility to mark which files…” 

Attack and Defense —  Use their computers without them knowing —  Use your computers without anyone else using it 

Usual scenario for A/D CTF Anonymity cloud Your computer The Other Guys Scoring System Need this traffic Don’t want this 

Without anonymity, this is simple —  Block traffic from anyone not scoring system, problem solved —  Generally you have to be permissive and allow traffic from the entire game world —  If you can classify “good” from “bad” at the network level… 

Defense 

Situational awareness —  How do you know if someone else is using your computer? —  This depends on how much the person using your computer cares —  This also depends on how much you can “see” or are permitted to see 

Situational awareness: taps —  If you’re using a computer, doing nothing on the network, and yet it’s talking to the network, you might be owned —  For CTFs this can be a problem because you need to be able to put the system into a quiescent state —  This could mean shutting down the ability to make points off of a service poll, which could be bad if done for too long 

Monitoring —  Exactly what can be monitored depends on the system and how much control you have —  As a user, you are limited to what system services will tell you —  UNIX-style wtmp logs recording login/logout accessible via ‘w’ —  When someone pops a shell, they don’t log in —  Process listings via ‘ps’ —  If someone backdoors your ‘ps’ binary, you have problems —  Information in some kind of procfs (if your platform has it) —  Or inotify, if your platform supports it —  netstat 

Monitoring —  The operating system kernel brokers access to system resources —  Tracking global file or network activity needs kernel cooperation —  Dumping all packets coming in our with wireshark/ tcpdump —  Problem: discerning good from bad? —  Sometimes you can create honest signatures for vulnerabilities that you have identified 

Monitoring —  Continuously dump the active process list —  Look for things you haven’t seen before —  Things to consider: on your platform, how can you have a thread running code? —  Sometimes they need their own PID, sometimes not —  Could an attacker inject a thread into a process that you trust? —  Maybe you can get more information about programs internal state —  What is heap size —  What is memory map 

Monitoring —  Your programs will crash when other teams try to exploit them and fail because they haven’t perfected the exploit yet —  This is a great opportunity to capture another teams exploit! —  Pros have capture frameworks where they correlate socket information and time of crash to a packet capture —  Extract failed exploit, identify bug, fix it up, and turn it around on other teams before the failed exploit team fixes their own exploit 

Monitoring the network —  Unbackdoored netstat will tell you about what programs are connecting to what remote hosts —  Long-lived connections would be weird —  Or would they? Ask your reverse engineers if challenge binaries should have long running connections 

Case study: DEFCON —  DEFCON network conceals source addresses —  Some clever people did profiling of the IP headers received by their game systems —  Discovered a difference between scoring system traffic and contestant system traffic —  Implemented a classification algorithm and used this to guide all contestant system traffic to a honeypot 

Fine grain process monitoring —  Consider running every challenge binary on your system under gdb with break-prints on calls to ‘open’ —  If you see programs opening files they normally don’t… problems? —  This isn’t perfect —  Attacker – how would you evade detection by this scheme? —  When present, facilities like inotify  can help identify changes to the filesystem in near real time 

Monitoring summary - awareness —  Process activity —  Process launch / death —  Process memory maps —  Network activity —  What processes are connecting to what hosts for how long —  File activity —  Use gdb to get into processes —  Periodically re-scan the system for changes using some tools you write 

Attack 

Remember every defensive trick —  When using Other People’s Computers, they will be trying to find you the same way that you find people using your computers —  Generally, speed is good —  Persistent access is also very good (how long until they patch the bug) 

Persistence —  How to get persistent access to Other People’s Computers? —  Where can you write text on the filesystem that turns into programs running at some later point? —  Example: crontab , bashrc —  Another example: cat your own key into their authorized_keys —  Do you always need this? —  Find some long-running process and put something there in memory-only using some handy tool you wrote previously 

Hiding —  Making new processes is noisy and potentially detectable —  Back-dooring system binaries seems like it would be appropriately devious but the other guys could have file-integrity tools that tells them when you do this —  Or they might not? Maybe you should have those tools too… —  Just take everything you can think of to defend, and invert it 

Conclusion —  Be evil