Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Investigations of Web Exploitations Ondrej Krehel, CISSP, CEH, Lifars LLC.

Similar presentations

Presentation on theme: "Forensic Investigations of Web Exploitations Ondrej Krehel, CISSP, CEH, Lifars LLC."— Presentation transcript:

1 Forensic Investigations of Web Exploitations Ondrej Krehel, CISSP, CEH, Lifars LLC

2 What do I do - Digital Firefighters New cyber jobs Page 2

3 Web server in the DMZ zone Inbound is filtered, however outbound is not Server is running un-patched version of IIS Incident occurred ?!? - need to confirm it and if yes, incident response and investigation Recorded traffic file is available – pcap format, however we dont have any logs, neither from firewall or web server We want to what happened and if we can find traces of commands as well as malware Wireshark analysis will be presented Scenario: Case from cyber field Page 3

4 Incident by Breach – All time Page 4

5 Web attacks Page 5

6 2011 Second Annual Cost of Cyber Crime Study by the Ponemon Institute An average web-based attack costs $143, 209; malicious code, $124,083; and malicious insiders, $100,300 Web-borne attacks, malicious code and insiders are the most costly, making up more than 90% of all cybercrime costs per organization per year The first published study Cost Page 6

7 GET /home/site_content_3.asp D B D003D B C D003D D0 02B B B E006E D B D B B E006E D B D003D D F006E C B E006E D B B C D A002F002F C E006E F E006A E003C002F E B F006D F002E F A C F002E F006C D006E C F002E E D E E E D E E D E E E006E D D B D003D D B D003D E D002C E B C D C B D003D D B D B0 HTTP GET – RFC 2616 Page 7

8 CAST obfuscated data, after decoding: trim(convert(varchar,''))+'' '';' from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where and a.xtype='U'and b.xtype=c.xtype and'varchar';set 0);set HTTP GET Decoded Page 8

9 BeEF exploitation of the victim Page 9

10 Review ( ) Tcpdump ( ) Ethereal ( ) Tcpextract ( ) Vomit ( ) Voipong ( ) Chaosreader ( NetworkMiner ( ) UCSniff ( ) Xplico ( ) Open Source Page 10

11 Tcpick ( ) Tcptrace ( ) Tcpflow ( ) Tcpreplay ( ) Ssldump ( ) AIM Sniff ( ) Ettercap ( ) Wireshark ( ) TCPDstat ( ) Kismet ( ) Open Source Page 11

12 DataEcho ( ) EtherPeg ( ) Drifnet ( ) Good Article on How to do it in open source: forensics-appliance-howto Open Source Page 12

13 How to Record Page 13 SPAN port (Switched Port Analyzer) or mirror port Can be part of SPAN local or remote VLAN Physical tape - TX and RX packetsDon't use external DNS resolutionSecure Access: use ssh and ssl, segment network

14 Commercial Network Forensic Tools Netwitness Investigator, Niksun NetVCR, WildPackets OmniPeak, Access Data SilentRunner, Guidance Software Encase Enterprise Own build - open- source tools, custom signatures Review, Tcpdump, Ethereal, Tcpextract, Vomit, Voipong, Chaosreader, Tcpick, Tcptrace, Tcpflow, Tcpreplay, Ssldump, AIM Sniff, Ettercap, Xplico, UCSniff, NetworkMiner Often integrated in IDS, IPS, HoneyPots Snort, Kfsensor, Honeyd, Specter Losses documentation – NIC, kernel, switch Examiner action logging Network Forensics Page 14

15 Protocol IPv4 Page 15

16 OSI Model Page 16

17 Xplicco Page 17

18 Xplico Page 18

19 Chaosreader Page 19

20 Chaosreader Page 20

21 Tips for Businesses Page 21 Establish relationships with vendors before incident Consider subscribing to Cyber Response or Data Breach program Review current layers of protection, and network topology Incident Response Plan Can you recognize the incident? Is evidence properly preserved? Are formalized Incident Response policies in place and tested on annual basis? Is internal staff properly trained?

22 Contacts Page 22 Ondrej Krehel, CISSP, CEH, Information Security Officer Lifars, LLC

23 C & C – Command and Control Channels VOIP – Voice over Internet Protocol SQL – Structured Query Language MFT- Master File Table DNS – Domain Name System P2P – Peer-to-peer networks UPX – Ultimate Packer for eXecutables CAST – Encoding and SQL function MRU – Most Recently Used section in Windows registry IDS/IPS – Intrusion Detection/Prevention Systems LKM – Loadable Kernel Module IM – Instant Messaging TCP/UPD – Common transfer protocols Abbreviations Page 23

24 Hexadecimal Encoding Abbreviations Page 24

Download ppt "Forensic Investigations of Web Exploitations Ondrej Krehel, CISSP, CEH, Lifars LLC."

Similar presentations

Ads by Google