ECE 4112 Internetwork SecurityLab: Covering Tracks and HidingGroup Number: _______________Member Names: ________________________ ________________________Date Assigned:Date Due:Last Edited: 1/14/2019Lab Authored By: Group 33 (Fall 2005)Ecleamus Ricks, Jr. (gtg420s)Lee Lewis, Jr. (gtg937y)GoalThis lab will address the methods and defenses for attackers attempting to cover up their malicious operations.SummaryIn this laboratory you will examine how attackers can hide evidence of their presence byaltering and/or deleting event logs. You will also learn how attackers can easily hide anddisguise files from system administrators. This laboratory also examines a steganographytool which allows data to be hidden in local files (i.e. image files).EquipmentWindows XP virtual machineRed Hat 7.2 virtual machineBackground/TheoryMany attackers enjoy publicizing their successful exploits for various reasons including:to boast to friends or embarrass their victims. However, there are far more attackers thatprefer to keep their activities as discrete as possible in order to maintain long term accessas well to stockpile resources for later use. In order to keep system, network, andsecurity administrators from detecting their presence, attackers alter the event logs toremove records associated with their activities as well as hide and disguise files that holdmalicious code or stolen data.Most UNIX system log files are written in standard ASCII and require root privileges formodification. Since the logging methods vary with the different UNIX versions, it isdifficult to have a standard log editing scripts that will work on all varieties. The utilitysyslogd reads and logs messages to the system console, log files, other machines and/orusers as specified by its configuration file. Outside of the log files, the main accountingfiles in UNIX are the utmp, wtmp, and lastlog files which are written with a special1binary format. These files cannot be edited directly using a standard editor. Anadditional type of accounting/logging of particular concern to attackers is individualusers’ shell history files. The shell history stores a complete list of all commands enteredby the user into the command line. Shell history files are written in plain ASCII as welland can easily edited in a text editor. Windows runs an event logging service called EventLog to track all of the activity thattakes place while a user is logged onto the computer. The Event Viewer utility allows theuser to view the log files produced by EventLog since they cannot be opened with astandard text editor. The Event Viewer separates the log into three separate categories:Application, Security, and System. All the information associated with these categoriesare sent to three files: APPEVENT.EVT, SECEVENT.EVT, and SYSEVENT.EVT.SECEVENT.EVT stores security-related events, including failed login attempts andattempts to access files without proper permissions. SYSEVENT.EVT stores eventsassociated with the system's functioning, including the failure of a driver or the inabilityof a service to start. The APPEVENT.EVT file stores events associated with applicationssuch as databases, Web servers, or user applications.Steganography enables you to use digital data hiding techniques (steganography) to hideand encrypt files within other files (carriers) such as picture or sound files. This allowsyou to encrypt sensitive information, while at the same time hiding it in a file that will notlook suspicious, so nobody even knows that there is any encrypted information. Thecarrier files are fully functional and identical to the original files (except for size),so ifdata was hidden in a picture file, the picture can still be viewed normally. Lab ScenarioWe will be navigating through the log and accounting files on both Windows XP and RedHat systems as well as utilize a stenagography tool that enables data to be masked behindanother file type. The Red Hat 7.2 virtual machine will be used to examine the UNIX-based operating system and the Windows XP virtual machine will be used to examine theWindows-based operating system. 1 Altering/Deleting Event LogsUNIXAs mentioned earlier, most UNIX systems’ log files are written in standard ASCII andrequire root privileges for modification. Since a missing or empty log file would set off aflag to administrators, skilled attackers would use their preferred text editor to remove themessages that might reveal their presence (assuming the attacker has root privileges tothe system) instead of just deleting the log files. The location of the log files can befound in the syslogd configuration in /etc/syslog.conf.On the Red Hat 7.2 virtual machine, use a standard text editor of your choice to open syslog.conf.Q1.1 List the name and location for all the log files included in the syslog.conf.2Notice that the majority of the log files are stored in the /var/log/ folder. Navigate tothis folder and open the messages log file in a text editor of your choice. Take note ofthe date and time of the most recent message (if any messages are listed) then close thefile. Enter the following command in a terminal window.# /etc/init.d/xinetd restartNow open the messages log file again. There should be new lines describing events associated with restarting xinetd.Q1.2 Copy the lines of the log file that correspond to the restart of xinetd.Now delete some or all of the lines in the messages file then save and close the file. Enter the following command in a terminal window.# /etc/init.d/syslog restartThis command will restart the syslog utility since editing the log file will exclude it frombeing automatically updated. Now restart inetd or another service that will change thelog file. Verify that the new messages appear in the log file along with the old content. There are three other main accounting files in UNIX (utmp, wtmp, and lastlog) that arewritten in special binary format, making them more difficult to edit than the other logfiles. Try to open the lastlog file (from the /var/log/ folder) with any text editor.Q1.3 What is displayed when the file is opened?There are several tools available to read and rewrite the special binary format of theseaccounting files. One such tool called wted is included with the lrk4 rootkit used in theprevious lab covering rootkits. Navigate and copy the wted file to the /bin/ folder.# cp