A few ways to find out if you’re compromised

With computing many programs and processes run in the background. Unless you’re a savvy computer user you may not be aware of these processes. Hackers sometimes use these processes to hide themselves inside victim computers.

In this post I’ll be using two of my virtual machines to demonstrate how a hack happens, one way a hacker can hide in a system, and how it can be found on the victim.

NOTE: These two machines are both under a host only network. Meaning that the hacking attempts shown in this demo cannot get out into the open internet. Even though this demo involves hacking I do not in any way support the illegal hacking of any computing device.

First I start off with setting my two virtual machines in a host only network sand boxed within my host system.

I had to make sure on both machine that they were set on VMNet1. This Virtual network is configured as host only so any communications that happen between these two machine will not get out into the open internet. Therefore I can safely hack the victim.
I had to make sure on both machine that they were set on VMnet1. This Virtual network is configured as host only so any communications that happen between these two machines will not get out into the open internet. Therefore I can safely hack the victim.

After confirming that the two VMs are configured correctly I boot them and disabled any firewalls, AV software, and other programs that would detect the hack on the victim. The purpose of this test is not to bypass all of these programs but to get a piece of malicious software on the machine and to show some ways that it can be found.

After the two computers are connected I had the VMs ping each other to make sure they can communicate. After that I used zenmap on my hacking platform to scan for open ports on the victim VM.

This program sends network packets to ports on the target computer and returns data based on if the ports are open or not. "Open" ports are gateways into other computer. These ports are listening for a connection from another computer.
This program sends network packets to ports on the target computer and returns data based on if the ports are open or not. “Open” ports are gateways into other computer. These ports are listening for a connection from another computer.

I already know which attack vector I want to use on the victim. It requires port 445 to be open. After checking the Zenmap report I found that port 445 is open. From there I start Metasploit and configure it to attack the victim.

Before hacking the victim I start a calculator on the victim and ran the tasklist command in the command line. What this command does is it shows all of the currently running processes on the computer and how much memory each process is using.

normal runnning calc.exe process
Notice how much memory the calc.exe (the calculator) is using: 9,752 KB

After the configuring of Metasploit is finished I ran the exploit with the meterpreter payload. What this does is it gives me a shell (a text user interface) to interact with the victim computer. Using this shell I can gather information on the victim computer. Examples are password hashes, OS version, user account names, and processes that are running on the victim.

This shows that Metaspolit was successful in exploiting or hacking the target.
This shows that Metaspolit was successful in exploiting or hacking the target.

Right know the rouge program should be sitting in memory. This can be found pretty easily by a savvy system administrator. Next I take the rouge process and hide it in a process that is running on the victim.

On the hacking platform I used Meterpreter to hide the rouge program inside of the calculator that is currently running on the victim. After the migration I ran tasklist on the victim to see hos much memory the calc.exe process was using. It shot up by 3,816K. This was because extra memory was need to accommodate the malicious code.
On the hacking platform I used Meterpreter to hide the rouge program inside of the calculator that is currently running on the victim. After the migration I ran tasklist on the victim to see how much memory the calc.exe process was using. It shot up by 3,816K. This was because extra memory was need to accommodate the malicious code.

If the system admin knows roughly how much memory each process is taking when they run then this should raise a red flag. This is one way that can be used to see if a computer has been compromised. But more evidence is needed in order to make a clear determination if the computer was hacked.

Now that I know something is amiss I check which connections are currently open or “Established”. I used the netstat command on the command line to do this.

I used the -n, -a, and -o options with netstat. The -n option displays active TCP connections. The -a option shows all active TCP and UDP connections and  the -o option displays active connections and show the process ID for each connection.  From here I found one connection that is strange. I should not have a connection with a computer with this IP address. Again this requires further investigation.
I used the -n, -a, and -o options with netstat.
The -n option displays active TCP connections.
The -a option shows all active TCP and UDP connections.
The -o option displays active connections and show the process ID for each connection.
I filtered netstat’s output through the find command. I was only looking for “EST” or established connections. From here I found one connection that is strange. I should not have a connection with a computer with this IP address. Again this requires further investigation. Know thy system. The only way to know if you’re compromised is to know what processes and network connections that are supposed to be running on your system.

After I found the strange connection I decided to check the event logs. First I checked the security logs.

I found a special login in the logs. (Event # 4672) This should not have happened. So far it's shaping up that this computer has been compromised. Note the time it happened. This is the exact time when the hack hit the victim computer.
I found a special logon in the logs. (Event # 4672). This should not have happened. So far it’s shaping up that this computer has been compromised. Note the time it happened. This is the exact time when the hack hit the victim computer. This time is in system time by the way. Unless you’re viewing the logs on another computer across time zones, then the times would adjust to your local time. This event happened on 2/3/15 5:17:06 PM system time.

After finding that event in the security logs I check the system logs to see if anything was installed on the computer. I use the time of the first event to search the system logs.

I made a discovery that a service was installed on the system 2/3/15 at 5:17:07 PM only one second after the unauthorized log on. Upon futhur examination of the log entry I found that the name of the service is a random character string. This is very odd. From this point I would say that this computer is compromised and step would have to be taken to isolate this machine and eliminate the infection.
I made a discovery that a service was installed on the system 2/3/15 at 5:17:07 PM only one second after the unauthorized log on. Upon futhur examination of the log entry I found that the name of the service is a random character string. This is very odd. From this point I would say that this computer is compromised and steps would have to be taken to isolate this machine and eliminate the infection.

In this demo I have used the netstat command on the command line, memory usage of running processes, and the security and system event logs to discover that something odd was happening on this system. These are just a few of the ways that can be used to find out if a computer was compromised. The most important fact to note is that you have to know what is running on your system. If you don’t then you not have a reference to find out if something is wrong. I hope you enjoyed this post. For the next post I’ll be running memory analysis to show what processes are running on a computer. Thanks for reading!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s