Overview:
In this article, we will learn about the most common ways attackers cover their tracks. This will include covering routes across networks, Windows, Linux, etc. So let’s start by looking at how routes can be covered over networks. Please note that I will only cover the methods and a bit about how the attacker uses them, but this article is not intended to delve into the technical aspects of each type of attack.Covering Tracks on the network
In this section, we will learn about how network traces can be covered. This section has other use cases as below:
Using Reverse HTTP Shells:
In this type of attack, the attacker usually installs a reverse HTTP shell on the victim’s computer. This reverse HTTP shell is programmed to request commands from an external moderator that controls this reverse shell at regular intervals. This appears to be normal traffic on an organization’s perimeter security device, such as a firewall, because port 80 is usually open.
Once the attacker receives a request from the reverse HTTP shell, commands will be issued back to the attacker, which will be executed locally by the victim. All of this is seen as an HTTP request/response to network devices. Once the commands are executed, the results will be sent in the next web request. These HTTP reverse shells can also be programmed to bypass any static authentication required by perimeter devices such as a firewall.
Using ICMP tunnels
Because reverse HTTP shells are so popular, some organizations monitor what leaves their network in response to a client GET request. Some also check what comes in response to a GET request, and most likely the attacker’s commands can be detected there. Instead, some carry traffic over covert channels using ICMP packets. This is usually successful because organizations only block incoming ICMP packets and forget about outgoing ICMP packets. Because of this configuration, the attacker uses ICMP packets to transmit TCP data.
First, the attacker configures the local client to connect to the victim’s client. The victim then encapsulates the TCP payload into an ICMP ECHO packet and forwards it to the proxy server. The proxy server in turn de-encapsulates the packet and extracts the TCP payload and send it to the attacker. It looks like a simple ICMP packet to network devices.
Various tools are available for this. Some of them are listed below:
- Ptunel
- Loki
- ICMPShell
- PingChat
- ICMPCmd
Using TCP parameters
How about distributing the attacker’s payload via a normal TCP packet instead of the encapsulation protocol? This method is well known and can still be used today to bypass IDS/IPS. An attacker can distribute the payload via unset TCP packet parameters. Some of the interesting fields in a TCP packet that can be used to carry content are:
- IP Identification: This attack is very simple to execute. It requires an established session between the two parties. On the one hand, the payload is carried bit by bit in the IPID field.
- TCP Initial Acknowledgment Sequence Number: This is a sneaky method. This method uses a bounce server whose main purpose is to receive a packet from the client and send it to the attacker. Below are the steps that are used in this method
- The client generates a TCP SYN packet with the spoofed source address of the receiving server and the destination address of the bounce server. Let’s say the starting sequence number is an ISNA that contains the character to be transmitted.
- The bounce server receives the packet and responds with a SYN-ACK OR RESET based on whether the port is closed or not. Interestingly, it sends a reply, but where? Yes, it will send a response to the receiving server because it receives a spoofed source address. Responds with SYNB, ACK(ISNA+1).
- The receiving server accepts this and recovers the character from the sequence number field.
- Initial TCP Sequence Number: This method does not even require a connection to be established as required by the IP identification method. A SYN packet is sent with an ISNa (initial sequence number) containing a payload (bit). Even if it receives a RESET response, the content is already extracted by the other party.
Cover traces on the OS
- Windows
Hide files in NTFS
A file on an NTFS partition acts as a drawer with different shelves, where the file name is the name of the shelf. Any number of data streams can be associated with a data stream. It should be noted that file streaming applies to NTFS and not AT. An attacker can use this streaming property to hide their files behind normal files on the system. For this we can normally use:
- Windows “type” command, which has the following syntax:
- type file_to_hide > normal_file:stream1
- To view the stream, use “more” with the syntax below:
- more < stream path (you need to know the stream name for this)
Unix
- Files can be hidden in UNIX by prefixing them with a period (.). Every directory in nix contains at least two directories which are current directory(.) and parent directory(..). The attacker gives their files names similar to “.. ” (with a space after the dots). The files are usually hidden in /dev, /tmp, /etc .
- Sometimes an attacker modifies log files to cover their tracks. However, sometimes an attacker will leave a trace that they modified the log file because when the file is opened for modification, the shell will be positioned to record that someone has modified it. This will continue to happen. Clever attackers overcome this problem by using “kill” to kill the shell and setting the HISTSIZE variable to zero.