Download - Con KUNG FU - Defcon
![Page 2: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/2.jpg)
Defcon 16 – asleep at the wheel
Crap! Firefox is possessed!
DNS redirection allowed for malicious code insertion on legitimate webpages
22009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 3: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/3.jpg)
Defcon 16 – asleep at the wheel(cont.)
Milw0rm.lzm in /mnt/live/memory/images
Used “uselivemod” in the BT/Tools directory. Allows you to slipstream a module on the fly
Automatic IP and calls update milw0rm
32009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 4: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/4.jpg)
Defcon 16 – asleep at the wheel(cont.)
MBR rootkit
• Vmlinuz (compressed kernel) files were replaced with replicas to subvert grub, etc.
• Try loading BT w/ nohdd, causes reboot; perhaps because the MBR rootkit depended on virtual memory created on the hdd
42009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 5: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/5.jpg)
What you should have done
Left your laptop at home!
52009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 6: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/6.jpg)
What you should have done
Broadband wireless card
Updates/Patches
Laptop w/no data on it
NOT your work laptop!!
NOT your home laptop!!
Use VM
62009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 7: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/7.jpg)
What you can do now
Lock down BIOS/MBR
Enable system password protection
Enable MBR protection within bios. This makes MBR read-only
72009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 8: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/8.jpg)
What you can do now
Configuration changes (linux/win)
Hosts.deny
Firewall
Close services
Change default root p/w (i.e. BT)
AV
Conky
Hardset DNS servers
82009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 9: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/9.jpg)
What you can do now
Comprehensive Hardening
Security templates (windows)
Bastille (linux) (http://bastille-linux.sourceforge.net/)
HIPS
Block all inbound connections
Protect your DNS entries/ARP/logs
92009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 10: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/10.jpg)
What you can do now
SSH Proxy
Firefox tunneling over SSH
Know your server’s SSH key beforehand!!
102009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 11: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/11.jpg)
What you can do now
Firefox hardening
NoScript
Turn off dns proxy in about:config
Use a known good proxy
112009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 12: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/12.jpg)
What you can do now
Run Snort
Patch Snort!
Will detect wireless shenanigans
Run Kismet (Linux)
will alert on deauthflood, bcastdiscon(disassoc. Attack) http://www.informit.com/guides/content.aspx?g=se
curity&seqNum=148
Run AirSnare (Windows)
122009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 13: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/13.jpg)
What you can do now
Do NOT check email, go to LinkedIn, Facebook, etc.
Even after SSL login page, many sessions are cleartext
132009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 14: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/14.jpg)
How to tell if you just got p0wnd
Logs
MD5 hashes
Check system binaries (telnet, ls, login, finger, etc) against known checksums…check offline in single user mode.
142009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 15: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/15.jpg)
How to tell if you just got p0wnd
Forensic Utils (Backtrack, etc)
Connections monitor
Monitor /etc/services as well as /etc/ined.conf
152009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 16: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/16.jpg)
How to tell if you just got p0wnd
Portscan detection
p.283 nMap Network Scanning (Fyodor)
Scanlogd
PortSentry
ZoneAlarm (windows)
Psad (Linux): Intrusion Detection and Log Analysis with iptables
http://www.cipherdyne.org/psad/
162009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 17: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/17.jpg)
Strike Back !
It’s the most hostile network in the world
Be part of it!
172009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon
![Page 18: Con KUNG FU - Defcon](https://reader035.vdocuments.net/reader035/viewer/2022071600/613d2dcc736caf36b75a406e/html5/thumbnails/18.jpg)
Strike Back !
Tools at ready to terminate access or impart retribution
Run windentd & icepick (p.264 nMap Network Scanning)
Scanlogd
PortSentry
Targeted DOS Please do not DOS the DC network….that is
very bad form, and bad things ™ will happen…too you
182009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon