Presentation on theme: "Forensics Book 4: Investigating Network Intrusions and Cybercrime"— Presentation transcript:
1 Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 3: Investigating Web Attacks
2 Objectives Recognize the indications of a Web attack Understand the different types of Web attacksUnderstand and use Web logsInvestigate Web attacksInvestigate FTP serversInvestigate IIS logs
3 Objectives (continued) Investigate Web attacks in Windows-based serversRecognize Web page defacementInvestigate DNS poisoningInvestigate static and dynamic IP addressesProtect against Web attacksUse tools for Web attack investigations
4 Introduction to Investigating Web Attacks This chapter:Discusses the various types of attacks on Web servers and applicationsCovers how to recognize and investigate attacks, what tools attackers use, and how to proactively defend against attacks
5 Indications of a Web Attack Indications include:Customers being unable to access any online services (possibly due to a denial-of-service attack)Correct URLs redirecting to incorrect sitesUnusually slow network performanceFrequent rebooting of the serverAnomalies in log filesError messages such as 500 errors, “internal server error,” and “problem processing your request”
7 Cross-Site Scripting (XSS) Application-layer hacking method used for hacking Web applicationsOccurs when a dynamic Web page gets malicious data from the attacker and executes it on the user’s systemXSS attacks can be either stored or reflectedInvestigating cross-site scripting (XSS)There is a chance that an XSS attacker may use HTML formatting tagsRather than using text for those tags, the attacker may use the hex equivalent to hide the codeRegular expressions can be used to detect attacks
8 Cross-Site Scripting (XSS) (continued) Table 3-1 These parts of the expression check for various characters and their hex equivalentsTable 3-2 This regular expression is helpful in catching “<img src” attacks
9 Cross-Site Request Forgery (CSRF) Attacker forces the victim to submit the attacker’s form data to the victim’s Web serverAttacker creates the host form, containing malicious information, and sends it to the authenticated userUser fills in the form and sends it to the serverBecause the data is coming from a trusted user, the Web server accepts the dataPen-testing CSRF validation fieldsBefore filing the form, it is necessary to confirm that the form is validated before reaching the server
10 SQL Injection AttacksOccurs when an attacker passes malicious SQL code to a Web applicationData is placed into an SQL query without being validated for correct formatting or embedded escape stringsExample:Set myRecordset = myConnection.execute(“SELECT * FROM myTable WHERE someText ‘” & blah or & “‘”)Statement always evaluates as true and returns the record set
11 SQL Injection Attacks (continued) Investigating SQL injection attacksLocations to look for evidence of SQL injection attacks:IDS log filesDatabase server log filesWeb server log files
12 Code Injection Attack Similar to an SQL injection attack When a user sends any application to the server, an attacker hacks the application and adds malicious code, such as shell commands or PHP scriptsInvestigating code injection attacksIntrusion detection systems (IDS) and a series of sandbox execution environments provided by the OS detect code injection attacksIDS transfers the suspicious packets’ payload to the execution environment matching the packets’ destinationPacket payload is then executed in the corresponding monitored environment
13 Parameter TamperingFigure 3-1 An attacker can change the parameters in a URL to gain unauthorized access.
14 Cookie PoisoningAttacker modifies the contents of a cookie to steal personal information about a user or defraud Web sitesInvestigating cookie poisoning attacksIntrusion prevention products must be usedTrace the cookie’s set command given by the Web serverCatch every HTTP request sent to the Web server and compares any cookie information sent with all stored cookies
15 Buffer OverflowIf a program stores more data in a buffer than it can handleBuffer will overflow and spill data into a completely different buffer, overwriting or corrupting the data currently in that bufferDetecting buffer overflowsNebula (NEtwork-based BUffer overfLow Attack detection) detects buffer overflow attacks by monitoring the traffic of the packets into the buffer without making any changes to the end hosts
16 Types of Web Attacks (continued) Cookie SnoopingAttacker steals a victim’s cookies, possibly using a local proxy, and uses them to log on as the victimDMZ Protocol AttackDMZ (demilitarized zone)Semitrusted network zone that separates the untrusted Internet from the company’s trusted internal networkTo enhance the security of the DMZ and reduce risk, most companies limit the protocols allowed to flow through their DMZ
17 Types of Web Attacks (continued) Zero-Day AttackExploit previously unknown vulnerabilitiesThey are especially dangerous because preventative measures cannot be taken in advanceLog TamperingWeb applications maintain logs to track the usage patterns of an applicationIn order to cover their tracks, attackers will often delete logs, modify logs, change user information, and otherwise destroy evidence of the attack
18 Authentication Hijacking To identify users, personalize content, and set access levels, many Web applications require users to authenticateAuthentication hijacking can lead to theft of services, session hijacking, user impersonation, disclosure of sensitive information, and privilege escalationInvestigating authentication hijackingCheck if the Web browser remembers the passwordSee if the user forgot to log off after using the application
19 Authentication Hijacking (continued) Figure 3-2 Authentication tells the Web application the user’s identity.
20 Authentication Hijacking (continued) Figure 3-3 Having applications remember passwords can lead to authentication hijacking.
21 Types of Web Attacks (continued) Directory TraversalAlso known as a forceful browsing attackOccurs when an attacker is able to browse for directories and files outside normal application accessCryptographic InterceptionDisclosure of private keys and certificates gives an attacker the ability to read, and modify, a hitherto private communicationAttacker able to intercept cryptographically secured messages can read and modify sensitive, encrypted data
22 Types of Web Attacks (continued) URL Interpretation AttackAttacker takes advantage of different methods of text encoding, abusing the interpretation of a URLURLs used for this type of attack typically contain special characters that require special syntax handling for interpretationImpersonation AttackAttacker spoofs Web applications by pretending to be a legitimate userAttacker enters the session through a common port as a normal user, so the firewall does not detect it
23 Overview of Web LogsSource, nature, and time of attack can be determined by analyzing the log files of the compromised systemLog files have HTTP status codes that are specific to the types of incidentsLog securityWeb servers that run on IIS or Apache run the risk of log file deletion by any attacker who has access to the Web server because the log files are stored on the Web server itselfNetwork logging is the preferred method for maintaining the logs securely
24 Overview of Web Logs (continued) Table 3-3 Status codes are three digit numbers divided into five categories
25 Overview of Web Logs (continued) Log file informationWhen investigating log files, the information is stored in a simple format with the following fields:Time/dateSource IP addressHTTP source codeRequested resource
26 Investigating a Web Attack Steps:Analyze the Web server, FTP server, and local system logs to confirm a Web attackCheck log file informationIdentify the nature of the attackCheck if someone is trying to shut down the networkLocalize the sourceUse the firewall and IDS logs to identify the source of attackBlock the attackDisconnect compromised systems from the networkInitiate an investigation from the IP address
27 Investigating a Web Attack (continued) Example of FTP compromiseBefore making an attempt to compromise FTP, an intruder performs port scanningAfter doing port scanning, the attacker connects to FTPInvestigating FTP logsIIS keeps track of hosts that access the FTP siteIn Windows, the rule is to ensure continuity in the logsAnother rule is to ensure that logs are not modified in any way after they have been originally recorded
28 Investigating FTP Servers FTP servers providing service to an internal network are not immune to attackAdministrators should consider establishing access controls including usernames, passwords, and SSL for authenticationDefensive measures include the following:Protection of the server file systemIsolation of the FTP directoriesCreation of authorization and access control rulesRegular review of logsRegular review of directory content to detect unauthorized files and usage
29 Investigating IIS Logs IIS logs all visits in log files, located in <%systemroot%>\logfilesIf proxies are not used, then the IP can be loggedThe following URL lists the log files:
30 Investigating Apache Logs Apache server has two logs: the error log and the access logApache server saves diagnostic information and error messages that it encounters while processing requests in the error logsFormat of the error log is descriptiveRequests processed by the Apache server are contained in the access logBy default, access logs are stored in the common .log format
31 Investigating Web Attacks in Windows-Based Servers Steps:Run Event ViewerCheck for suspicious eventsLook for a large number of failed logon attempts or locked-out accountsLook at file sharesLook at which users have open sessionsLook at which sessions the machine has opened with other systemsLook at NetBIOS over TCP/IP activityLook for unusual listening TCP and UDP ports
32 Investigating Web Attacks in Windows-Based Servers (continued) Steps: (continued)Look for unusual tasks on the local hostLook for new accounts in the administrator groupLook for unexpected processes by running the Task ManagerLook for unusual network servicesCheck file space usage to look for a sudden decrease in free space
33 Web Page DefacementUnauthorized modification to a Web page leads to Web page defacementRequires write-access privileges in the Web server root directoryWeb page defacements are the result of the following:Weak administrator passwordApplication misconfigurationServer misconfigurationAccidental permission assignment
34 Web Page Defacement (continued) Figure 3-4 An unsecure Web page can be defaced by hackers.
35 Defacement Using DNS Compromise Attacker can compromise the authoritative domain name server for a Web serverBy redirecting DNS requests for a Web site to the attacker’s defaced Web siteInvestigating DNS poisoning (steps)Start a packet sniffer, such as WiresharkCapture DNS packetsIdentify the IP being used to resolve the domain nameStart investigating the IP. Try to determine who owns it and where it is locatedDo a WHOIS lookup of the IP
37 Intrusion Detection (continued) Figure 3-6 A NIDS thoroughly analyzes all network traffic.
38 Security Strategies for Web Applications Strategies include:Respond quickly to vulnerabilitiesEarlier detected vulnerabilities should be solved and fixedPen-test the applicationsCheck for flaws in security through IDS and IPS toolsImprove awareness of good security
39 Investigating Static and Dynamic IP Addresses DHCP log file stores information regarding the IP address allocated to a particular host at a particular timeStatic IP address of a particular host can be found with the help of tools such as Nslookup, WHOIS, Traceroute, ARIN, and NeoTrace
40 Checklist for Web Security Checklist items include:Make sure user accounts do not have weak or missing passwordsBlock unused open portsCheck for various Web attacksCheck whether IDS or IPS is deployedUse a vulnerability scanner to look for possible intrusion areasTest the Web site to check whether it can handle large loads and SSL (if it is an e-commerce Web site)Document the list of techniques, devices, policies, and necessary steps for security
41 StatisticsFigure 3-7 This table shows the reported instances of various types of Web attacks.
42 Statistics (continued) Figure 3-8 This table shows the number of reported defacements of several types of Web servers.
43 Statistics (continued) Figure 3-9 This table shows the total number of Web site defacements every year on both Linux and Windows.
44 Tools for Web Attack Investigations Server Log AnalysisAnalyzes server logs by changing IP addresses into domain names with the help of httpdanalyse.cMapperHelps to map the files, file parameters, and values of any site
72 WHOISFigure 3-36 WHOIS can provide a wealth of information about a domain.
73 Hide Real IPFigure 3-37 Hide Real IP hides the user’s IP address.
74 Figure 3-38 whatismyip.com shows a computer’s external IP address.
75 IP Detective SuiteFigure 3-39 IP Detective reports any changes in IP addresses.
76 Enterprise IP-Address Manager Figure 3-40 Enterprise IP - Address Manager assigns IP addresses.
77 Whois LookupFigure 3-41 Whois Lookup is an online WHOIS tool.
78 SmartWhoisFigure 3-42 SmartWhois integrates with programs like Internet Explorer and Outlook.
79 ActiveWhoisFigure 3-43 ActiveWhois has a Web-like interface for viewing results.
80 LanWhoIsFigure 3-44 LanWhoIs saves its results in HTML files.
81 CountryWhoisFigure 3-45 CountryWhois is focused on determining the locations of IP addresses.
82 IP2countryFigure 3-46 IP2country gives the physical location of an IP address.
83 CallerIPFigure 3-47 CallerIP identifies the IP addresses connected to the user’s system.
84 Whois.NetFigure 3-48 Whois.Net is another online WHOIS tool.
85 Other Tools UV Uptime Website Defacement Detector CounterStorm-1 Checks Web sites periodically and reports to the user immediately if there are unauthorized changesAvailable to enterprise URLsCounterStorm-1Suite of network security appliances automatically detects and stops attacks within seconds
86 WebAgainFigure 3-49 WebAgain monitors Web sites for unauthorized changes and restores the sites to their original forms.
87 Pandora FMSFigure 3-50 Pandora FMS monitors any kind of TCP/IP service.
88 SummaryCross-site scripting (XSS or CSS) is an application-layer hacking techniqueSQL injection involves passing SQL code not created by the developer into an applicationCookie poisoning is the process of tampering with the values stored in cookiesThe source, nature, and time of an attack can be determined by analyzing the log files of the compromised system
89 Summary (continued)FTP server vulnerabilities allow an attacker to directly compromise the system hosting the FTP serverWeb page defacement requires write access privileges in the Web server root directoryIntrusion detection is the art of detecting inappropriate, incorrect, or anomalous activity