Presentation is loading. Please wait.

Presentation is loading. Please wait.

February 2016 Meeting. Web Defacement and Spear Phishing.

Published byJohnathan Rodgers Modified over 8 years ago

Similar presentations

Presentation on theme: "February 2016 Meeting. Web Defacement and Spear Phishing."— Presentation transcript:

1 February 2016 Meeting

2 Web Defacement and Spear Phishing

3 3 Objectives Going through a scenario from a Capture the Flag event Using all available data and tools from a Security Onion Image Demonstrate some techniques to reverse engineer the attack Discuss common avenues during web defacement/spear phishing Tools used: –Wireshark –Network Miner –Tshark –StreamCarver –Argus –Js-Didier (spidermonkey) –Security Onion –Kali Linux Going through a scenario from a Capture the Flag event Using all available data and tools from a Security Onion Image Demonstrate some techniques to reverse engineer the attack Discuss common avenues during web defacement/spear phishing Tools used: –Wireshark –Network Miner –Tshark –StreamCarver –Argus –Js-Didier (spidermonkey) –Security Onion –Kali Linux

4 About the Presenter Name: Christopher Davis Experience: –7 years in IT, 3 of which being Security –DOD/Military –Healthcare –IT Contractor Works for UPS as an Info-Sec Analyst. www.github.com/chrisjd20 Email: christopherdavis@ups.com Name: Christopher Davis Experience: –7 years in IT, 3 of which being Security –DOD/Military –Healthcare –IT Contractor Works for UPS as an Info-Sec Analyst. www.github.com/chrisjd20 Email: christopherdavis@ups.com 4

5 5 Challenge Questions VM/Write-up available here –http://bit.ly/1JZDIILhttp://bit.ly/1JZDIIL –http://bit.ly/1NmyNfWhttp://bit.ly/1NmyNfW You will need Oracle virtual box to play the virtual machine –We will be covering two incidents (Web defacement, Spear Phishing) –I’ll present each question, my answer and how I came up with it –There is more than one way to do this and probably more efficient ways –If you’d like to do this yourself, you may want to leave –I could be wrong or inaccurate VM/Write-up available here –http://bit.ly/1JZDIILhttp://bit.ly/1JZDIIL –http://bit.ly/1NmyNfWhttp://bit.ly/1NmyNfW You will need Oracle virtual box to play the virtual machine –We will be covering two incidents (Web defacement, Spear Phishing) –I’ll present each question, my answer and how I came up with it –There is more than one way to do this and probably more efficient ways –If you’d like to do this yourself, you may want to leave –I could be wrong or inaccurate

6 6 Incident 1 A Linux web server “www.pwned.se” has been defaced (192.168.0.2). Hacking team, Frog Squad, has claimed responsibility for the defacement that took place on Mar 12, 2015. The systems administrator has told you the defacement was a file named fr.jpg. You have been asked to investigate how the files got on the box and whatever else may have happened. You are given an image of the Security Onion IDS that was monitoring all of the traffic. You can use all tools available at your disposal and within the VM. A Linux web server “www.pwned.se” has been defaced (192.168.0.2). Hacking team, Frog Squad, has claimed responsibility for the defacement that took place on Mar 12, 2015. The systems administrator has told you the defacement was a file named fr.jpg. You have been asked to investigate how the files got on the box and whatever else may have happened. You are given an image of the Security Onion IDS that was monitoring all of the traffic. You can use all tools available at your disposal and within the VM.

7 7 Lets start with the Leading Question 1. What IP address did the attackers use? -Lets start with what we know, -They uploaded fr.jpg -The web server is pwned.se with an ip of: 192.168.0.2 -Lets do a ‘frame contains fr.jpg’ in wireshark. Attacker IP is: 217.195.49.146 1. What IP address did the attackers use? -Lets start with what we know, -They uploaded fr.jpg -The web server is pwned.se with an ip of: 192.168.0.2 -Lets do a ‘frame contains fr.jpg’ in wireshark. Attacker IP is: 217.195.49.146

8 What I typically do next: With my leading information: –Attacker 217.195.49.146 –Web server 192.168.0.2 I can use streamcarver to dump the entire conversation. More efficient than manually viewing multiple streams in wireshark Requires specific wireshark filters Not good for encrypted traffic Puts it in near-chronological order Carves out HTTP files -./ streamcarver.py -r../1.0.pcap -Y "ip.addr == 192.168.0.2 and ip.addr == 217.195.49.146" -p tcp -w../1.0.dump With my leading information: –Attacker 217.195.49.146 –Web server 192.168.0.2 I can use streamcarver to dump the entire conversation. More efficient than manually viewing multiple streams in wireshark Requires specific wireshark filters Not good for encrypted traffic Puts it in near-chronological order Carves out HTTP files -./ streamcarver.py -r../1.0.pcap -Y "ip.addr == 192.168.0.2 and ip.addr == 217.195.49.146" -p tcp -w../1.0.dump 8

9 9 Questions/Answers 1.2-1.5 1.2 What type of OS is the compromised server possibly running? 1.3 What type of Content Management Server is being used? 1.4 What is the CVE for the vulnerability? CVE-2014-1683 1.5 How did the attacker get the fr.jpg file to the webserver? 1.2 What type of OS is the compromised server possibly running? 1.3 What type of Content Management Server is being used? 1.4 What is the CVE for the vulnerability? CVE-2014-1683 1.5 How did the attacker get the fr.jpg file to the webserver? Using the dump from streamcarver, lets answer the remaining questions

10 10 Questions/Answers 1.6-1.7 1.6 - What is Ned’s UID? 1.7 Show how the web page looked after the defacement 1.6 - What is Ned’s UID? 1.7 Show how the web page looked after the defacement Before

11 11 Question/Answer 1.8 1.8 – FrogSquad placed a webshell (PHP backdoor) named cm0.php. List all commands sent using the cm0 backdoor. We could manually copy and paste each command we saw from the dump or do tshark for efficiency: tshark -r 1.0.pcap -Y "http and frame contains cm0.php" -T fields -e http.request.full_uri

12 12 Questions/Answers 1.9-1.10 1.9 - What text was contained in the HTTP comment for the PHP webshell? 1.10 - Did FrogSquad come back at a later time from the same class C IP network? We can use argus netflow data to determine this: rafilteraddr -R * -v -f /usr/local/etc/ip_whitelist.txt -w - -- src net 217.0.0.0/8 and dst host 192.168.0.2 | racluster –w - | resort –m dbytes –n | head

13 Incident Timeline 1 13 http://bit.ly/20prkWy http://bit.ly/1nk0alo https://timeline.knightlab.com/

14 Questions for Incident 1? 20

15 15 Incident 2 Ned was the victim of a Spear Phishing attack which resulted in his system being infected with CryptoLocker. Using the same Security Onion IDS VM image and any tools at your disposal, determine how it is that this happened. Ned was the victim of a Spear Phishing attack which resulted in his system being infected with CryptoLocker. Using the same Security Onion IDS VM image and any tools at your disposal, determine how it is that this happened.

16 16 Question/Answer 2.1 2.1 - From which three IP’s were the largest downloads made by Ned's computer (192.168.0.53)? Tip: disregard downloads from Microsoft/Google/Facebook/Akamai and other common domains using /usr/local/bin/ip_whitelist.py Once again, Argus netflow data is perfect for this task: rafilteraddr -R * -v -f /usr/local/etc/ip_whitelist.txt -w - -- src host 192.168.0.53 and not dst net 192.168.0.0/16 | racluster -w - | rasort -m dbytes -n | head ip.addr == 193.9.28.35 or ip.addr == 148.251.80.172 or ip.addr == 68.164.182.11

17 17 Question/Answer 2.2 2.2 - Are the files downloaded from www.mybusinessdoc.com (68.164.182.11) malicious? Present the VirusTotal output.www.mybusinessdoc.com Carve the file a little bit smaller so that it is easier to deal with. –tcpdump -nnr 2.0Fixed.pcap -w./carved.pcap host 192.168.0.53 and host 68.164.182.11 –wireshark -> export -> http –> save as dump –https://www.virustotal.com/en/file/761cbbcccbe61a02c6360490b490d7e04560db2fc313ac8 86de1a36c7a74d9f7/analysis/ –https://www.virustotal.com/en/file/daf4d96a121c9e4935082d4e0264088ff352f14d868f8720 d8fa7e4f99c82f05/analysis/ –https://www.virustotal.com/en/file/196c186b05ce2cb0f964080823d22a5f4c999e3270fd3b4 75068c5130dc7fd50/analysis/ 2.2 - Are the files downloaded from www.mybusinessdoc.com (68.164.182.11) malicious? Present the VirusTotal output.www.mybusinessdoc.com Carve the file a little bit smaller so that it is easier to deal with. –tcpdump -nnr 2.0Fixed.pcap -w./carved.pcap host 192.168.0.53 and host 68.164.182.11 –wireshark -> export -> http –> save as dump –https://www.virustotal.com/en/file/761cbbcccbe61a02c6360490b490d7e04560db2fc313ac8 86de1a36c7a74d9f7/analysis/ –https://www.virustotal.com/en/file/daf4d96a121c9e4935082d4e0264088ff352f14d868f8720 d8fa7e4f99c82f05/analysis/ –https://www.virustotal.com/en/file/196c186b05ce2cb0f964080823d22a5f4c999e3270fd3b4 75068c5130dc7fd50/analysis/

18 18 Question/Answer 2.3 2.3 Does the HTML page downloaded from 193.9.28.35 look legitimate? Once again, we can carve it smaller and then export the page: tcpdump -nnr 2.0Fixed.pcap -w./carved.pcap host 192.168.0.53 and host 193.9.28.35 Then we run it through network miner (ws fails to carve this properly)

19 19 Question/Answer 2.4 2.3 - Did the download from 1.webcounter.info (148.251.80.172) use HTTP, SSL or something else? Lets look at the conversation in wireshark: ip.addr == 148.251.80.172 and ip.addr == 192.168.0.53

20 20 Question/Answer 2.5 2.5 - Forensics of Ned's computer (192.168.0.53) indicates that the first infection came from "Delivery_Notification_00000529832.zip", on 2015-04-07. How was this delivered to Ned’s computer? frame contains 832.zip Follow the first stream -> find 832.zip Copy and then paste via nano into file (dump into notepad first) cat base64.txt | base64 -d > doc.zip unzip the file to get javascript This was delivered via email pop 110 2.5 - Forensics of Ned's computer (192.168.0.53) indicates that the first infection came from "Delivery_Notification_00000529832.zip", on 2015-04-07. How was this delivered to Ned’s computer? frame contains 832.zip Follow the first stream -> find 832.zip Copy and then paste via nano into file (dump into notepad first) cat base64.txt | base64 -d > doc.zip unzip the file to get javascript This was delivered via email pop 110

21 21 Answers/Questions 2.6-2.7 2.6 - Deobfuscate the JavaScript in Delivery_Notification_00000529832.doc.js Where does this download additional malware from? -remnux has a version of spidermonkey that can do this called js-Didier mybusinessdoc.com 68.164.182.11 and nursealarmsystems.com 216.47.227.188 and carina- pairs-hotel.com 209.59.156.160

22 Incident Timeline – April 7, 2015 Neds computer (192.168.0.53) downloads spear phishing email –Contains malware to download more malware. Malware is downloaded from mybusinessdoc.com and others –Cryptolocker is downloaded and encrypts Neds Machine Ned’s machine is pwned. Neds computer (192.168.0.53) downloads spear phishing email –Contains malware to download more malware. Malware is downloaded from mybusinessdoc.com and others –Cryptolocker is downloaded and encrypts Neds Machine Ned’s machine is pwned. 22

23 Questions? 20

Download ppt "February 2016 Meeting. Web Defacement and Spear Phishing."

Similar presentations

F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Section 2.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 2.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Embracing the chaos mark lorenc

Embracing the chaos mark lorenc
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Linux Operations and Administration

Linux Operations and Administration
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.

Similar presentations

Ads by Google