covering your tracks: ncrypt and ncovert€¦ · ncovert — pros and cons ¥ pro — anonymous...
TRANSCRIPT
![Page 1: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/1.jpg)
Covering Your Tracks:Ncrypt and Ncovert
Simple Nomad
Hacker – NMRC
Sr. Security Analyst - BindView
Simple Nomad
Hacker – NMRC
Sr. Security Analyst - BindView
![Page 2: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/2.jpg)
Stealth and CovertCommunicationsStealth and CovertCommunications• What is it
• Why use it
• Examples in existence– File encryptors/decryptors (GPG, etc)– File system encryption (CFS, NTFS encryption, etc)– Steganography (Outguess, etc)– Covert network (Loki2, etc)
• What is it
• Why use it
• Examples in existence– File encryptors/decryptors (GPG, etc)– File system encryption (CFS, NTFS encryption, etc)– Steganography (Outguess, etc)– Covert network (Loki2, etc)
![Page 3: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/3.jpg)
Goals for ProjectGoals for Project
• Defeat network and workstation forensics
• Simple and clean install/compile (no extra libraries)
• Leverage existing technology
• Defeat network and workstation forensics
• Simple and clean install/compile (no extra libraries)
• Leverage existing technology
![Page 4: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/4.jpg)
Ncovert – OverviewNcovert – Overview
• Freeware
• No extra libraries required, uses standard C
• Uses Initial Sequence Number (ISN) as the data field
• Anonymous sending
• Can bypass most firewalls
• Freeware
• No extra libraries required, uses standard C
• Uses Initial Sequence Number (ISN) as the data field
• Anonymous sending
• Can bypass most firewalls
![Page 5: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/5.jpg)
Ncovert – How it worksNcovert – How it works
• Sender sends SYN packet with data in ISN to publicserver, forges source IP as receiver’s IP
• Public server receives SYN, sends SYN/ACK toreceiver’s machine
• Receiver’s machine sniffs packet and gets data, theOS sends a RST to public server
• Repeated until all data is sent
• Sender sends SYN packet with data in ISN to publicserver, forges source IP as receiver’s IP
• Public server receives SYN, sends SYN/ACK toreceiver’s machine
• Receiver’s machine sniffs packet and gets data, theOS sends a RST to public server
• Repeated until all data is sent
![Page 6: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/6.jpg)
Ncovert – Pros and ConsNcovert – Pros and Cons
• Pro– Anonymous sending– If sniffing in path to forged source IP, anonymous receiving– Careful planning can bypass most firewall rules
• Con– Slow, as reliable as UDP– Plaintext transmission, must encrypt data first (use Ncrypt)– Needs multiple “triggers”
• Pro– Anonymous sending– If sniffing in path to forged source IP, anonymous receiving– Careful planning can bypass most firewall rules
• Con– Slow, as reliable as UDP– Plaintext transmission, must encrypt data first (use Ncrypt)– Needs multiple “triggers”
![Page 7: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/7.jpg)
Ncovert – Live DemoNcovert – Live Demo
![Page 8: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/8.jpg)
Ncrypt – OverviewNcrypt – Overview
• Freeware
• No extra libraries required, uses standard C
• Symmetric file encryption/decryption
• Choice of three encryption algorithms
• Optional wiping of files, with wiping also getting file slack
• Choice of two wiping techniques
• Additional secure coding
• Freeware
• No extra libraries required, uses standard C
• Symmetric file encryption/decryption
• Choice of three encryption algorithms
• Optional wiping of files, with wiping also getting file slack
• Choice of two wiping techniques
• Additional secure coding
![Page 9: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/9.jpg)
Ncrypt – Crypto UsedNcrypt – Crypto Used
• Encryption algorithms– Rijndael (AES)– Serpent– Twofish
• SHA-1 hashing of passphrase
• Random data stream generation - ISAAC
• Encryption algorithms– Rijndael (AES)– Serpent– Twofish
• SHA-1 hashing of passphrase
• Random data stream generation - ISAAC
![Page 10: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/10.jpg)
Ncrypt – Wipe FuNcrypt – Wipe Fu
• Peter Gutmann’s 1996 defacto standard from“Secure Deletion of Data from Magnetic and Solid-State Memory”
• 4 passes of random data, 27 passes of specific bitpatterns, 4 more passes of random data, 35 passestotal
• Anti-forensics aimed for defeating TLAs
• Probably overkill by today’s standards for disk drives
• Peter Gutmann’s 1996 defacto standard from“Secure Deletion of Data from Magnetic and Solid-State Memory”
• 4 passes of random data, 27 passes of specific bitpatterns, 4 more passes of random data, 35 passestotal
• Anti-forensics aimed for defeating TLAs
• Probably overkill by today’s standards for disk drives
![Page 11: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/11.jpg)
Ncrypt – Wipe FuNcrypt – Wipe Fu
• NSA-developed National Industrial Security ProgramOperating Manual (NISPOM) aka DoD 5220.22-M;subsection 8-306
• A pass of a character, a pass with that character’sbits flipped, and a verified pass with random data, 3passes total
• There is no “wipe 7 times” U.S. Governmentstandard to be found
• Not for TOP SECRET, which is significant in itself
• NSA-developed National Industrial Security ProgramOperating Manual (NISPOM) aka DoD 5220.22-M;subsection 8-306
• A pass of a character, a pass with that character’sbits flipped, and a verified pass with random data, 3passes total
• There is no “wipe 7 times” U.S. Governmentstandard to be found
• Not for TOP SECRET, which is significant in itself
![Page 12: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/12.jpg)
Ncrypt – Secure CodingNcrypt – Secure Coding
• Plaintext passphrase wiped from memory afterconverted to a SHA-1 hash
• SHA-1 hash wiped from memory after crypto key ismade
• If root, memory locked from paging
• Plaintext passphrase wiped from memory afterconverted to a SHA-1 hash
• SHA-1 hash wiped from memory after crypto key ismade
• If root, memory locked from paging
![Page 13: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/13.jpg)
Ncrypt – Target UsersNcrypt – Target Users
• Non-root users e.g. shell account on an ISP
• Human rights worker
• Security professional
• Privacy advocate
• Black hat
• Non-root users e.g. shell account on an ISP
• Human rights worker
• Security professional
• Privacy advocate
• Black hat
![Page 14: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/14.jpg)
Ncrypt – Live DemoNcrypt – Live Demo
![Page 15: Covering Your Tracks: Ncrypt and Ncovert€¦ · Ncovert — Pros and Cons ¥ Pro — Anonymous sending — If sniffing in path to forged source IP, anonymous receiving — Careful](https://reader031.vdocuments.net/reader031/viewer/2022011912/5f9fe1bed236bb02f76f754a/html5/thumbnails/15.jpg)
ResourcesResources
• Ncrypt - http://ncrypt.sourceforge.net/
• Ncovert - http://www.nmrc.org/project/ncovert/
• National Industrial Security Program OperatingManual (DoD 5220.22-M), Dept. of Defense, 1995 –http://www.dss.mil/isec/nispom_195.htm
• “Secure Deletion of Data from Magnetic and Solid-State Memory” , Peter Gutmann, 1996 –http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
• Ncrypt - http://ncrypt.sourceforge.net/
• Ncovert - http://www.nmrc.org/project/ncovert/
• National Industrial Security Program OperatingManual (DoD 5220.22-M), Dept. of Defense, 1995 –http://www.dss.mil/isec/nispom_195.htm
• “Secure Deletion of Data from Magnetic and Solid-State Memory” , Peter Gutmann, 1996 –http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html