How To Terminate A Hackers Session?

[Infiltrator]

Hi All,

What would be the most effective way to disconnect a hacker's session?

For example, say if a hacker had managed to break into your server or computer, how would you go about disconnecting or kicking him off your server and the network completely.

And preventing him from reconnecting again?

Any thoughts or comments.

Thank you in advance.

[Sparda]

Block IP in firewall... change password or disable the account they where using.

[Infiltrator]

Block IP in firewall... change password or disable the account they where using.

Good point, also is there another way to disconnect the session without blocking the IP?

[c0r]

Pull tha plug ;D

I think a firewall&IDS would be the best option.

[Infiltrator]

Thank you guys i think that answers my question.

I knew it was something simple.

[digip]

I was going to say disconnect it from the network, then secure a backup, but pull the plug pretty much sums that up. At any sign of a breach, the first thing you want to do, is isolate the device in question, so if you suspect one of your servers is compromised, pull the Ethernet on it and begin your companies normal forensic procedure, whatever that may be (such as imaging or snapshot the live system state, backups, dump memory since some attacks only live as a running process, etc - See http://www.irongeek.com/i.php?page=videos/computer-forensics-electronic-discovery-andy-cobb for some good info IronGeek just posted)

[buffy]

find out what port the hacker is connected on then add a port forward and alter the physical nic the server is on. So effectly you move the server to new IP range on the an orange part of your firewall. This may drop the hackers connection but I would suggest you will see a reconnect with in 10mins. If the system has not crit data on then call the police and make sure all your logs are on, firewall and server, dont block the hacker as you may not be able to track them down again. If it has crit data on, best to start full disclosure as other wise shit like this comes back to bite you, and cut all connections then run a forensics distro to freeze the system.

[Infiltrator]

Since you guys started talking about forensics analysis, what utility would you use to dump the contents of ram to an USB.

I am not referring to the Microsoft Memory Dump Utility, but simply what Darren demonstrated in the past episodes, like cold boot attacks.

Reason being, I want to do more than just an image of the system, but a complete image of the physical ram as well.

[Sitwon]

http://en.wikipedia.org/wiki/Cold_boot_attack

I'm not sure that you can do a bit-for-bit copy of physical RAM from within Windows.

[Infiltrator]

http://en.wikipedia.org/wiki/Cold_boot_attack

I'm not sure that you can do a bit-for-bit copy of physical RAM from within Windows.

Since it takes time for the RAM to wipe its contents off, there is a small program that you can load onto an USB and copy all the contents from RAM into it.

By simply booting the computer off the USB.

Darren did a segment on that, but I can't remember what the utility is called. Besides there is also another utility called "The Volatility Framework" which takes samples from RAM but it doesn't do a complete copy of what its in RAM.

[Sitwon]

Since it takes time for the RAM to wipe its contents off, there is a small program that you can load onto an USB and copy all the contents from RAM into it.

By simply booting the computer off the USB.

Darren did a segment on that, but I can't remember what the utility is called. Besides there is also another utility called "The Volatility Framework" which takes samples from RAM but it doesn't do a complete copy of what its in RAM.

Yes, but that involves rebooting or pulling the RAM from a running system and then dumping it from a specialized OS or Linux box. Not something you can do from within Windows while it's running. You'd probably want to clone the active memory first and then do cold-boot last (because even under ideal conditions there could be some degradation).

[Jason Cooper]

Yes, but that involves rebooting or pulling the RAM from a running system and then dumping it from a specialized OS or Linux box. Not something you can do from within Windows while it's running. You'd probably want to clone the active memory first and then do cold-boot last (because even under ideal conditions there could be some degradation).

You will loose at least 512b of memory as on boot the system will have to load in the boot block. Most of the memory dumpers designed to run after a reboot use more memory than just the boot block so you will loose even more memory, not masses but personally I like my memory dump tools to have as little effect on the memory being dumped as possible.

[Sitwon]

You will loose at least 512b of memory as on boot the system will have to load in the boot block. Most of the memory dumpers designed to run after a reboot use more memory than just the boot block so you will loose even more memory, not masses but personally I like my memory dump tools to have as little effect on the memory being dumped as possible.

And what are the odds that whatever he is looking for in RAM would be in the first 512b of RAM? Or even in the first 1MB?

If you were looking for a hard drive decryption key then that would be a legitimate concern, but in the scenario that was described I am fairly certain that the OS wouldn't allocate that memory to anything that would be interesting to look at.

The beginning of the address space is High Memory which is addressed exclusively by the OS kernel.

[Jason Cooper]

And what are the odds that whatever he is looking for in RAM would be in the first 512b of RAM? Or even in the first 1MB?

If you were looking for a hard drive decryption key then that would be a legitimate concern, but in the scenario that was described I am fairly certain that the OS wouldn't allocate that memory to anything that would be interesting to look at.

The beginning of the address space is High Memory which is addressed exclusively by the OS kernel.

The kernels data structures store lots of information that can make your life a lot easier. Booting an entire kernel to dump the memory (Like some of these memory dump tools do) is going to overwrite/corrupt a lot of this data. After all if I am looking to find information from a specific process that was running on the machine before the reboot then it would make a lot of sense to start by working out what areas of memory the process could access.

[Infiltrator]

I just found out what the tool Darren used to dump the contents of the RAM is called.

Ram2USB

And here is a link to it,

http://www.mcgrewsecurity.com/tools/msramdmp/

[Jason Cooper]

A while ago after watching the cold boot attack episode of Hak5 I wrote a memory dumping tool called memDump. It is crude and only supports dumping between 16MB and 4GB of memory (i.e. it is only 32bit), but it does fit entirely in a standard bootblock so it only overwrites 512b of memory.

The source is included in the downloads (FASM Assembler)

It worked fine on my test machines but I have only a limited number of test machines so if anyone else tries it and finds any bugs please let me know.

[555]

Why not try to hack him back lol you said you knew which IP the hacker was on. If it gets bad then yeah just unplug your pc from the network and look around your computer to see where they are getting in.

[Infiltrator]

Why not try to hack him back lol you said you knew which IP the hacker was on. If it gets bad then yeah just unplug your pc from the network and look around your computer to see where they are getting in.

I could do that, but if he is behind some kind of proxy than it would be a bit hard I guess.

[wh1t3 and n3rdy]

Decent logging will help give you clues to some extent.

[Infiltrator]

Decent logging will help give you clues to some extent.

Yes that will definitely give me so clues, I should also deploy some honeypots to study his behavior, and see how/what he does to break in.

[Mr-Protocol]

Just to make a quick post. From a forensic standpoint you do not want to terminate the session, but make logs of everything that is happening, IPs, ports so on. A RAM dump might not be needed but there are applications out there that do it pretty easily, most of the free ones will not do more than 4 GB so keep an eye on that.

It's more of an incident response procedure, but using all the info you gather on the current session you can try to update IDS rules to block future activity and to patch vulnerable systems.

[Guest leg3nd]

Determine the server process via netstat and nmap, check your services and look for any ports that should be there. Kill the according processes, then attempt to find and remove any injected code which may cause it to be re-compromised.

Not letting it happen again would involve updating your services and software, enabling an updated anti-virus, and also enabling a firewall.

Now if your rootkit'ed then thats a different story and you may need to dig in the kernel or drivers.

From a forensic standpoint you do not want to terminate the session

Thats true but you should probably fist make sure that your data is secure (assuming you actually have sensitive data), but its probably easier to trace it down and gain more information while the session is established.

Edited April 8, 2011 by leg3nd

[joeypesci]

If I remember right, really rough memory of the story, in one of Kevin Mitnick's books there was a story of a security guy coming in to give a talk to a bunch of coppers on IT Security and hacking I think. And turns out their servers, unknown to them, were being used as a gateway by some hackers to gain access to a number of other agencies and businesses related to that place. I think it was flagged up while the security guy was there. So he took them to the server room to experience the real world attack and monitored what the hackers were doing, where they were going etc. So that they could trace them and catch them later. Which they did.

I'll have to flick through those books again if I can find them and find the story. Was a good one.

[redhook]

If a machine has been compromised you should physically disconnect it from the network ASAP.